Down, but not Out: Blackhole Returns

Monday, November 23, 2015 @ 02:11 PM gHale

The Blackhole Exploit Kit is back to conduct a new series of drive-by download attacks, said researchers said.

Attackers used the tool to push malware from compromised websites onto the Windows machines for years up to October 2013, after an arrest of a person that went by the name of Paunch in Russia meant the end of the updates.

Trojan Targets XP Users
Microsoft Patches Zero Day Holes
Flash Zero Days Abound
Espionage Group Leverages Flash Zero Day

Without new modules to take advantage of the latest software vulnerability, Blackhole rapidly loss its edge, said researchers at security firm Malwarebytes. Cybercrooks quickly switched to other exploit kits such as Angler instead, signalling the long-term decline of Blackhole.

Now, however, Malwarebytes spotted an active drive-by download campaign via compromised websites that look and feel much like an attack from the Blackhole Exploit Kit.

“We noticed Java and PDF exploits collected by our honeypot which we haven’t seen in ages,” said Jérôme Segura, a senior security researcher at Malwarebytes, in a blog post.

“The new drive-by download attacks we caught over the weekend rely on the same structure as the original Blackhole, even reusing the old PDF and Java exploits. The only difference is the malware payload being dropped, which is current and had very low detection on VirusTotal,” Segura said.

Closer analysis of an exploit server by Malwarebytes revealed the attack used leaked source for the Blackhole Exploit Kit.

“Although the exploits are old, there are probably still vulnerable computers out there who could get compromised,” he added.”We also noticed that the author behind this Blackhole edition was working on new landing pages, so it is possible there might be additional changes in the future.”