Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Blackhole Exploit Kit Use Falls Off After Arrest

Two weeks ago, it was reported that police in Russia arrested the reputed author of the Blackhole Exploit kit, a man who went by the hacker alias ‘Paunch.’ In the aftermath, the number of spam campaigns using Blackhole to distribute malware fell off, and in the past two weeks have still not recovered.

Two weeks ago, it was reported that police in Russia arrested the reputed author of the Blackhole Exploit kit, a man who went by the hacker alias ‘Paunch.’ In the aftermath, the number of spam campaigns using Blackhole to distribute malware fell off, and in the past two weeks have still not recovered.

According to security researchers, use of the exploit kit seems to have chilled for the moment, and some cyber-crew have started switching tactics. For example, researchers at Dell SecureWorks report that following the arrest, one of the groups using the Cutwail spam botnet stopped spamming out links leading to the Blackhole exploit kit in favor of another kit known in the security community as Magnitude (formerly Popads).

In that case, the spam emails have links that open up to a website that tells the user their browser is not up to date as a ruse to get them to download Gameover Zeus while a malicious iFrame redirects the browser to the Magnitude exploit kit. At that point, Magnitude installs the infamous ZeroAccess Trojan on the user’s system if they are susceptible to any of the targeted vulnerabilities, such as CVE-2011-3402 (Windows) and CVE-2013-0633 (Adobe Flash Player).

“Blackhole operations have gone silent,” said Richard Henderson, security strategist at FortiGuard Labs. 

“Will other kits move in to fill the void left by [Blackhole]? Most definitely. When will we see this happen? It’s hard to say right now, but for every hacker arrested, there’s another who thinks he is skilled enough to avoid arrest and will take a shot at making their millions,” he added.

According to Chester Wisniewski, senior security advisor at Sophos, other exploits have actually already begun to fill that void. At the moment, the two most common exploit kits are Glazunov and Neutrino – though it is hard to account for who picked up the most business from Black Hole’s demise, he said.

Trend Micro security researcher Jonathan Leopando blogged underground forums are still digesting news of the arrest and what the long term impact may be.

“One particular area of concern in Russian underground forums is whether users of BHEK could face arrests themselves,” he blogged. “In particular, users who purchased BHEK directly from Paunch or his authorized resellers would be in Paunch’s database of clients, which is now presumably in the hands of law enforcement.”

The use of exploit kits as an infection vector has been cyclical for some time, noted Andrew Brandt, director of threat research at Blue Coat Systems.

“In spam-delivered campaigns, we saw an uptick in the use of exploit kits in August and early September, then their use trailed off after about the 10th  [of October],” he said. “We saw a gradual increase in Kuluoz-style email with links that simply deliver a .zip file and some messages with the .zip file already attached.”

Elsewhere, exploit kits of many types remain in wide use on compromised websites, he said, and iframes and misdirection are being used to load the kit in the background while the victim surfs the Web.

“If the author of Black Hole sold the code, or had collaborators that were not apprehended, it is possibly that we could see the kit appear again in the future,” said Curt Wilson, ASERT senior research analyst for Arbor Networks. “There is also a possibility that the code may have leaked at some point, which could make that particular threat re-emerge. There is no shortage of exploit kits that can be rented or purchased in the underground, and threat actors are likely to have taken full advantage of the situation to encourage new customers to migrate from Black Hole to their particular exploit kit.”

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...