The name BlackHole looms large over the marketplace for crimeware kits, but a new player is said to have emerged with similar code and a similar name.
Known as Whitehole, the kit is different from BlackHole in that it does not use JavaScript to hide its use of plugindetect.js; instead, it directly uses it without obfuscation. Among its features is its ability to evade anti-malware detection efforts, prevent Google Safe Browsing from blocking it and load a maximum of 20 files at once.
“We [analyzed] the related samples, including the exploit malware cited in certain reports,” according to Trend Micro. “The malware (detected as JAVA_EXPLOYT.NTW) takes advantage of the following vulnerabilities to download malicious files onto the system: CVE-2012-5076, CVE-2011-3544, CVE-2012-4681, CVE-2012-1723 [and] CVE-2013-0422.”
“The downloaded files are detected as BKDR_ZACCESS.NET and TROJ_RANSOM.NTW respectively,” according to Trend Micro. “ZACCESS/SIRIEF variants are known bootkit malware that download other malware and push fake applications. This specific ZACCESS variant connects to certain websites to send and receive information as well as terminates certain processes. It also downloads additional malicious files onto already infected systems.”
Whitehole is reputed to be under development and is running in “test-release” mode. However, the minds behind it are already selling it online and are demanding a fee of between $200 and $1,800 (USD), Trend Micro noted.
“Given Whitehole’s current state, we may be seeing more noteworthy changes to the exploit kit these coming months,” according to Trend Micro. “Thus, we are continuously monitoring this threat for any developments.”