Introduction Last month, the Malwarebytes blog posted an article about Blackhole exploit kit (EK) resurfacing in active drive-by campaigns from compromised websites [1]. At the time, I hadn't noticed this trend, because the Windows hosts I was using to generate EK traffic were a bit too up-to-date. If I ran across a compromised website leading to Blackhole EK, I only noticed the following warning in the host's browser window:
I didn't realize these websites were pointing to Blackhole EK until later, when I tried an older Windows host running Internet Explorer 8 and an outdated version of the Java 6 runtime environment. This is somewhat puzzling. Why would a criminal group use such an out-of-date EK with these old exploits? One hypothesis put forward by the Malwarebytes blog is the source code went public, so Blackhole is free and can be customized or improved by the people who now use it [1]. Whatever the reason, I'm finding Blackhole EK more often now. I've also noticed malicious spam campaigns this week using themes that were originally reported years ago (but that's a story for another diary). It seems like everything old is new again. Blackhole EK infection traffic On Wednesday 2015-12-09, I found a compromised website that led to Blackhole EK. The site was later taken off-line. But on that day, Google search results indicated it was compromised.
As usual, there was a gate (or redirect) between the compromised website and the Blackhole EK. (Read more about gate traffic on a previous diary I wrote here). The chain of events was: Compromised website --> Gate --> Blackhole EK The compromised website had injected script with an iframe pointing to a gate at 777couldnot.wha.la as seen in the image below.
Infection traffic consisted of the following:
The iframe from the compromised website led to the gate, which directed traffic to the Blackhole EK landing page.
Below are images showing HTTP requests for the Blackhole EK landing page, Java exploit, PDF exploit, and malware payload.
Snort-based events for this traffic are the same type we saw for Blackhole EK before its creator was arrested in 2013 [2].
The malware Information on malware and exploits from this example on Wednesday 2015-12-09 is listed below.
Final words From a research perspective, this EK isn't nearly as interesting as Angler, Nuclear, or Rig. As it currently stands, Blackhole EK is not much of a threat, especially if you're running up-to-date applications on your Windows computer. Now that we're entering the Christmas holiday season, maybe these cyber criminals are getting nostalgic. Perhaps that's why we're seeing this resurgence of Blackhole activity. If Malwarebytes' hypothesis holds true, now that Blackhole has returned, we might see some sort of update to its capabilities. Only time will tell. Pcaps and malware samples used in this diary are available here. --- References: [1] https://blog.malwarebytes.org/exploits-2/2015/11/blast-from-the-past-blackhole-exploit-kit-resurfaces-in-live-attacks/ |
Brad 436 Posts ISC Handler Dec 11th 2015 |
Thread locked Subscribe |
Dec 11th 2015 6 years ago |
The payload you posted is Win32/CoreBot
|
Anonymous |
Quote |
Dec 11th 2015 6 years ago |
Quoting Anonymous:The payload you posted is Win32/CoreBot Thanks! At least the payload isn't something from yesteryear. securityintelligence.com/watch-out-for-corebot-new-stealer-in-the-wild/ |
Brad 436 Posts ISC Handler |
Quote |
Dec 11th 2015 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!