Sweet Orange

Sweet Orange emerged in 2012 to fill the void left behind by the Blackhole EK after its author was arrested and it quickly rose in popularity among cybercriminals. Sweet Orange contains many of the same features as other variants, including a database that records a list of successful infections, statistics about various current exploits, and regular malware updating. It is also capable of evading and disabling sandboxes. Much like the author of Blackhole attempted to do, the Sweet Orange authors have devised ways to prevent the security community from obtaining the kit’s source code by minimizing advertising and brokering only to trusted buyers. Client-side exploits found in the kit include Java, Internet Explorer, and Firefox. Sweet Orange is advertised as having the capability of redirecting 150,000 unique visitors to the malicious payload. As of 2015, Sweet Orange EK is also spreads TeslaCrypt ransomware. The Internet Crime Complaint Center considers TeslaCrypt as the most current and significant ransomware threat targeting U.S. individuals and businesses.

Technical Details

  • Screenshots and details of the Sweet Orange EK is available from Webroot.

One example of the Sweet Orange EK. Image Source: Webroot