Blackhole exploit kit confusion. Custom builds or copycats?

Blackhole exploit kit confusion. Custom builds or copycats?

Black hole. Image from ShutterstockThe past couple of weeks have been interesting times for anyone following the malicious Blackhole exploit kit that continues to dominate the charts.

Don’t get me wrong, we expect changes and updates – the individuals behind the kit work tirelessly to try and evade security products. However, some of the recent changes are a little confusing to say the least!

One of the key aspects of the Blackhole exploit kit that we identified in previous research was the organised and coordinated nature of the kit. For example, as soon as a new obfuscation method was added, we would quickly see it in use, across the majority of exploit sites being tracked.

The release, in September 2012, of Blackhole exploit kit version 2 introduced several changes, but the coordinated ‘rollout’ of minor tweaks and modifications continued.

And so to recent developments that we have been observing. Firstly, let’s start off with a quick recap of what we are seeing:

  • the PluginDetect library is still being used, but the kit has updated to the latest version (0.7.9)
  • landing pages are no longer obfuscated (JavaScript is sometimes minified, but no obfuscation is being used). The characteristic sequence of JavaScript functions is clearly visible within the scripts:
  • sometimes the function names are different, and the general structure is slighlty changed, but the landing page is fundamentally the same:
  • sometimes certain exploits are removed, the functions modified to return non-malicious content:
  • when Blackhole v2 was first released, a number of the older exploits were removed from the kit (perhaps most notably, Flash was completely removed). Recently we are seeing Flash exploits back again. Some of the latest kits seem to be targeting the same vulnerabilities that v1.x Blackhole did. They also use the exact same filenames as well – field.swf (CVE-2011-0611) and flash.swf (CVE-2011-2110).
  • Java vulnerabilities are still a favourite, with exploits including CVE-2012-5076 (Sept 2012) and CVE-2012-1723.
  • the classic “old” (version 9.4) Adobe PDF vulnerabilities are back
  • a font vulnerability (CVE-2011-3402) is sometimes being loaded as well. This has been associated with a recent exploit kit known as ‘Cool Exploit Kit’

So what is going on? Why this sudden burst of diversity from Blackhole?

Or is this a new kit? Are some of these recent Blackhole changes actually not Blackhole at all, but some other kit?

As I have been putting together this post, I see that our colleagues at F-Secure are asking a similar question.

Several factors point to this being Blackhole (or at least very closely related – same codebase, potentially same authors).

  • obvious similarities in the function names, filenames, structure etc of the exploit site
  • incoming user traffic is using the same malicious script injections (Mal/Iframe-W redirects injected into legitimate web sites)
  • URL structure used in the kit is consistent with Blackhole v2

Personally I suspect these new ‘flavours’ of Blackhole are from the same group. However, there is one nagging doubt I have:

  • some of the new features could be considered retrograde steps for Blackhole. Why would they revert to using predictable content within the URLs?

Whatever the case, we will continue to monitor these attacks closely, ensuring our reputation filtering and content detection technologies protect customers, regardless of the group behind them!

  • Landing page detections: Mal/ExpJS-N, Mal/ExpJS-AN, Mal/ExpJS-AV
  • Flash content detections: Troj/SWFExp-AI, Troj/SWFExp-BE
  • PDF detections: Troj/PDFJS-AAS, Troj/PDFEx-GX
  • Java detections: Mal/JavaGen-A, Mal/JavaGen-C, Mal/JavaGen-E

Thanks to Gabor and Ferenc in Sophos’s Budapest lab for their assistance in putting together the content for this article.

Black hole image from Shutterstock.