Tweet

Recently it was announced via posts in underground forums and Pastebin posts that a new version of the Blackhole Exploit Kit (BHEK), version 2.0, had been released. (The original announcement was in Russian; an English translation has been provided by researcher Denis Laskov and may be found here.)

We cannot confirm that BHEK 2.0 has been fully deployed by cybercriminals yet. However, intriguing evidence suggests that some parts of BHEK version 2.0 are already being beta-tested in the wild.

The announcement explicitly called out changes in the URLs that BHEK uses:

In version 1. * link to malicious payload unfortunately was recognizable for AV companies and reversers, she [sic] looked this kind,. /Main.php?Varname=lgjlrewgjlrwbnvl2. The new version of the link to the malicious payload you can choose yourself, here are some examples: /news/index.php,/contacts.php and so on, now for the moment no one AV can not catch.

Let’s look at three recent BHEK spam runs to see where they fit here. One spam run, using the name of the Federal Deposit Insurance Corporation (FDIC), was a classic BHEK 1.x spam run with an infection chain of this format:

hxxp://{compromised domain}/achsec.html
hxxp://{landing page}/main.php?page=0f123fe645ddf8d7

In contrast to this, both the eFax and ADP spam runs used the new URL format. eFax used the following format:

hxxp://{compromised domain}/{8 random characters}/index.html
hxxp://{redirection domain}/{8 random characters}/js.js
hxxp://{landing page}/links/raising-peak_suited.php

ADP used similar URLs for its landing pages as well:

hxxp://69.{BLOCKED}.{BLOCKED}.108/links/systems-links_warns.php
hxxp://108.{BLOCKED}.{BLOCKED}.7/links/differently-trace.php

While these attacks use the URL format of BHEK 2.0, their internals still show signs of BHEK 1.x. We saw use of the plugindetect function in their scripts. However, use of that code was explicitly removed in BHEK 2.0. The following text was directly from the translated announcement:

We not using anymore plugindetect to determine the version of Java that will remove a lot of the bunch of extra code thus accelerating the download bundles

This unusual combination indicates that the authors of BHEK 2.0 may still be beta-testing specific features before actually releasing BHEK 2.0 fully into the wild.

We will continue to monitor for new information related to this new threat, and release our findings as appropriate.

Additional text by Lala Manly and Jonathan Leopando

Update as of Sept. 17, 11:20 PM PDT

Trend Micro Smart Protection Network™ protects users from this threat via web reputation service, which blocks access to the related URLs. File reputation service detects and deletes malware related as JAVA_BLACOLE.ZXX, JAVA_BLACOLE.REP, JS_BLACOLE.UYT, TROJ_FAKEAV.KED and TROJ_REVETON.BEK.

Based on our initial analysis, both JAVA_BLACOLE.ZXX and JAVA_BLACOLE.REP exploits the vulnerability in Java Runtime Environment (JRE) 1.7 (CVE-2012-4681), which was targeted by a zero-day exploit documented in our previous post. JS_BLACOLE.UYT downloads other files, while TROJ_FAKEAV.KED displays security alert to trick users into purchasing a rogue antivirus program. TROJ_REVETON.BEK drops its component files onto the infected system.