• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Spam   »   Blackhole 2.0 Beta Tests In The Wild?

Blackhole 2.0 Beta Tests In The Wild?

  • Posted on:September 14, 2012 at 4:49 am
  • Posted in:Spam
  • Author:
    Jon Oliver (Senior Architect)
0

Recently it was announced via posts in underground forums and Pastebin posts that a new version of the Blackhole Exploit Kit (BHEK), version 2.0, had been released. (The original announcement was in Russian; an English translation has been provided by researcher Denis Laskov and may be found here.)

We cannot confirm that BHEK 2.0 has been fully deployed by cybercriminals yet. However, intriguing evidence suggests that some parts of BHEK version 2.0 are already being beta-tested in the wild.

The announcement explicitly called out changes in the URLs that BHEK uses:


In version 1. * link to malicious payload unfortunately was recognizable for AV companies and reversers, she [sic] looked this kind,. /Main.php?Varname=lgjlrewgjlrwbnvl2. The new version of the link to the malicious payload you can choose yourself, here are some examples: /news/index.php,/contacts.php and so on, now for the moment no one AV can not catch.

 

Let’s look at three recent BHEK spam runs to see where they fit here. One spam run, using the name of the Federal Deposit Insurance Corporation (FDIC), was a classic BHEK 1.x spam run with an infection chain of this format:

hxxp://{compromised domain}/achsec.html
hxxp://{landing page}/main.php?page=0f123fe645ddf8d7

In contrast to this, both the eFax and ADP spam runs used the new URL format. eFax used the following format:

hxxp://{compromised domain}/{8 random characters}/index.html
hxxp://{redirection domain}/{8 random characters}/js.js
hxxp://{landing page}/links/raising-peak_suited.php

ADP used similar URLs for its landing pages as well:

hxxp://69.{BLOCKED}.{BLOCKED}.108/links/systems-links_warns.php
hxxp://108.{BLOCKED}.{BLOCKED}.7/links/differently-trace.php

While these attacks use the URL format of BHEK 2.0, their internals still show signs of BHEK 1.x. We saw use of the plugindetect function in their scripts. However, use of that code was explicitly removed in BHEK 2.0. The following text was directly from the translated announcement:


We not using anymore plugindetect to determine the version of Java that will remove a lot of the bunch of extra code thus accelerating the download bundles

 

This unusual combination indicates that the authors of BHEK 2.0 may still be beta-testing specific features before actually releasing BHEK 2.0 fully into the wild.

We will continue to monitor for new information related to this new threat, and release our findings as appropriate.

Additional text by Lala Manly and Jonathan Leopando

Update as of Sept. 17, 11:20 PM PDT

Trend Micro Smart Protection Network™ protects users from this threat via web reputation service, which blocks access to the related URLs. File reputation service detects and deletes malware related as JAVA_BLACOLE.ZXX, JAVA_BLACOLE.REP, JS_BLACOLE.UYT, TROJ_FAKEAV.KED and TROJ_REVETON.BEK.

Based on our initial analysis, both JAVA_BLACOLE.ZXX and JAVA_BLACOLE.REP exploits the vulnerability in Java Runtime Environment (JRE) 1.7 (CVE-2012-4681), which was targeted by a zero-day exploit documented in our previous post. JS_BLACOLE.UYT downloads other files, while TROJ_FAKEAV.KED displays security alert to trick users into purchasing a rogue antivirus program. TROJ_REVETON.BEK drops its component files onto the infected system.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: betaBHEKblackhole exploit kit

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.