Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Blackhole Exploit Kit Upgraded with New Attacks and URL Generation

According to research from Symantec and Sophos, the Blackhole exploit kit has been upgraded with some new features recently. The latest revision includes a payload that targets an unpatched vulnerability in Microsoft XML Core Services , and new JavaScript that addresses propagation issues.

According to research from Symantec and Sophos, the Blackhole exploit kit has been upgraded with some new features recently. The latest revision includes a payload that targets an unpatched vulnerability in Microsoft XML Core Services , and new JavaScript that addresses propagation issues. Unfortunately, the changes prove once again that the criminal economy online is alive and well.

Blackhole is just one of the many crime kits available on the Web. Cybercriminals using it will typically compromise a legitimate site, usually one that is running outdated version of WordPress or osCommerce for example, and wait for visitors to arrive for their delivered infection. The kit itself targets vulnerabilities in common third-party software, such as Java, Adobe’s Reader or Flash, and Microsoft’s Internet Explorer.

Blackhole Exploit Kit“When an innocent user browses to a Blackhole-infected site, their browser runs the JavaScript code, which typically creates a hidden iframe, which silently exploits vulnerable browser plug-ins and drops any malware and exploits onto a users system,” Symantec explains.

However, recent versions of the kit have patched a known flaw, which often left a potential victim safe from harm if the criminal running a Blackhole domain got lazy or was clueless.

“If the location or URL for the iframe, which actually contains the malicious code, changes or is taken down, all of the compromised sites will have to be updated to point to this new location. This process is difficult and impractical. To deal with this, the Blackhole JavaScript code on compromised sites now dynamically generates pseudo-random domains, based on the date and other information, and then creates an iframe pointing to the generated domain,” Symantec added.

Moreover, the kit’s recent upgrade also added a new attack. According to Sophos, sometime in early June Blackhole was updated to include an attack that targets a flaw in Microsoft’s XML Core Services, which remains unpatched. However, Microsoft has released a FixIt tool that will help mitigate the vulnerability.

If there is any positive light to place on these developments, it is that the newest exploit and upgraded JavaScript are only deployed in limited cases. Yet, this has led to speculation that the changes are part of a larger upgrade test, so their limited availability may have a shot shelf life in its own right.

Related Feature: Black Hole Exploit – A Business Savvy Cyber Gang Driving a Massive Wave of Fraud

Advertisement. Scroll to continue reading.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.