Differences with New BlackHole

Monday, February 18, 2013 @ 02:02 PM gHale

The new versions of the BlackHole exploit kit are showing some significant differences than the older model.

One noteworthy finding is that BlackHole 2.0 doesn’t use the 8-character-long random strings for URLs, said researchers at Trend Micro. Instead, the latest spam campaigns use four different types of URLs.

New Exploit Kit: Whitehole
Hacker Proves Lack of Security
Mobile Ad Malware Toolkits on Rise
Defense Industry Spear Phishing Attack

First, there are WordPress URLs, which show an HTML file stored in the “wp-content” directory (this is where WordPress themes end up hosted) of a website. However, experts said WordPress themes are not HTML files, so when users see those types of URLs, they should immediately know that something is off.

The second types of URLs are the ones that use a dictionary word as the directory name. They look something like this: {compromised site}/{dictionary word}/index.html.

This is similar to the earlier formats, but because a dictionary name is used instead of a random string, it’s more difficult for a user to establish if the link is legitimate or not.

Other links used in BlackHole spam runs use dictionary words for the file name: {compromised site}/{dictionary word}.html.

The fourth types of URLs used by cybercriminals are not actually URLs. In certain cases, the attacker attaches an HTML file to the spam email. When it’s opened, the file redirects the victim to the exploit kit.

For the redirection pages, cybercriminals usually turn to hacked websites or domains that they’ve registered for free. This tactic makes the campaign more efficient because it’s not so easy for security solutions to identify the threat if legitimate domains end up used.

Leave a Reply

You must be logged in to post a comment.