Blackhole's back: Hated exploit kit returns from the dead

Analysis reveals attack was put together using leaked source

The Black Hole's Maximilliam. Source: Disney
Source: Disney

The seemingly long-defunct Blackhole Exploit Kit has resurfaced in a fresh run of drive-by download attacks, according to research carried out by security firm Malwarebytes.

The cybercrime tool was widely used by hackers to push malware from compromised websites onto the Windows machines of visiting surfers for years up to October 2013, when the arrest of its alleged author Paunch in Russia spelled the end to updates.

Without new modules to take advantage of the latest software vulnerability, Blackhole rapidly lost its edge. Cybercrooks quickly switched to other exploit kits such as Angler instead, signalling the long-term decline of Blackhole.

That, it seemed, was the end of the story. Or so we thought. However, Malwarebytes has spotted an active drive-by download campaign via compromised websites bearing the hallmarks of the Blackhole Exploit Kit.

“We noticed Java and PDF exploits collected by our honeypot which we haven’t seen in ages," Jérôme Segura, a senior security researcher at Malwarebytes, explains in a blog post. "Looking closer at the structure of this attack, we were surprised when we realised this was the infamous Blackhole.”

“The new drive-by download attacks we caught over the weekend rely on the same structure as the original Blackhole, even reusing the old PDF and Java exploits. The only difference is the malware payload being dropped, which is current and had very low detection on VirusTotal,” he added.

Closer analysis of an exploit server by Malwarebytes revealed that the attack was put together using leaked source for the Blackhole Exploit Kit.

“Although the exploits are old, there are probably still vulnerable computers out there who could get compromised," he added."We also noticed that the author behind this Blackhole edition was working on new landing pages, so it is possible there might be additional changes in the future.”

It’s unclear why an old exploit kit is being used in live attacks considering the infection rate would be quite low due to the ageing exploits. An alternative up-to-date tool would yield far better results for cybercrooks without entailing any extra effort.

One hypothesis could be that with the source code being public, it is a free platform that can be built upon and updated. ®

Bot note

VirusTotal allows anyone to upload suspicious files. The Google-owned service aggregates data on suspicious files before sharing the resulting intelligence with security firms.

Sponsored: Detecting cyber attacks as a small to medium business

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020