The infamous but presumed defunct Blackhole Exploit Kit has been sighted again in the wild.
Rumors of its demise have been greatly exaggerated: Malwarebytes Labs has recently picked up on Blackhole use in its honeypots, even though it disappeared from view after its Russian creator, known as "Paunch," was arrested Oct. 2013. Although Blackhole was the most widely used EK by cyber-attackers to push malware from compromised websites onto Windows machines at the time, Paunch’s arrest led to the end of the good times for crooks. No more updates and a leaked source code pushed cyber-criminals to migrate to different platforms, such as Angler EK.
Malwarebytes senior researcher Jerome Segura and his team have been tracking drive-by-downloads, and has spotted fresh attacks using a new twist on Blackhole. Upon inspection, the malicious server used to host the exploit infrastructure turned out to be fully browsable, and the folder structure shows with no doubt that it is taken straight from the Blackhole source code that had been leaked.
“The year is 2015 and a threat actor is using the defunct Blackhole exploit kit in active drive-by download campaigns via compromised websites,” Segura said. “We noticed Java and PDF exploits collected by our honeypot which we haven’t seen in ages. Looking closer at the structure of this attack, we were surprised when we realized this was the infamous Blackhole.”
The new drive-by download attacks rely on the same structure as the original Blackhole, even reusing the old PDF and Java exploits. The only difference is the malware payload being dropped, which is current and had very low detection on VirusTotal.
“Although the exploits are old, there are probably still vulnerable computers out there who could get compromised,” Segura warned. “We also noticed that the author behind this Blackhole edition was working on new landing pages, so it is possible there might be additional changes in the future.”
Photo © lucid