The past few months have been a busy one for Blackhole spam attackers. The last time we discussed Blackhole spam runs, we noted that it had returned from its New Year break and was hitting users again. Previously, we’d reported in September about how a new version of the Blackhole Exploit Kit had been introduced by attackers into the underground. Since September we observed upgrades and new developments in this area, which this post will tackle.
Upgrade to Blackhole Exploit Kit 2.0
Cybercriminals have stopped using the older 1.x version of the Blackhole Exploit Kit entirely and moved to version 2.0 since last September. Most significantly, the URLs no longer have the eight-character-long random strings that were a key part of the 1.x version. These strings made discovering and monitoring websites that were connected to various spam runs easier for researchers.
New vulnerabilities have also been added to the Blackhole Exploit Kit as they have been made “public”. For example, the recent Java zero-day was added to BHEK’s arsenal within days of the vulnerability becoming known to the security industry.
Clearly, these cybercriminals are continuously enhancing this toolkit to evade detection as well as to generate profit from users. Accordingly, Blackhole Exploit Kit was used to distribute known information stealing malware such as ZeuS and Cridex variants.
Increased Usage of Different Infection Chains
One development we have seen is that different browsers are receiving different infection chains, with more distinct differences from browser to browser. For example, there are situations where users running Chrome may receive malicious files, but Firefox and Internet Explorer do not.
Why this is being done remains unclear. It’s possible that this is being done to lower the profile of these threats; this makes sense in combination with the next development. What is clear is that this makes analysis by researchers and security vendors more complicated. It increases the number of test cases that have to be looked at thus increasing the effort that must be dedicated to any individual attack.
Smaller, But More Spam Runs
One noticeable trend is that we are seeing more spam runs, but each run is smaller by itself. The overall volume is not decreasing, but the scope of each individual attack is decreasing.
Together with the previous development of differing infection chains, this may represent an attempt to lower the profile of Blackhole attacks. Any individual attack is smaller and thus less likely to attract the attention of researchers and security vendors. However, users end up facing a similar level of threat as they did. (The different infection chains would only help in reducing the scale of any single attack.)
Quickly Changing Landing Pages
In November, for a while we encountered cases where landing page domains changed very quickly; new domains were being spotted every few minutes.
This may have been another attempt to make life more difficult for security researchers and vendors. However, this also raises the burden on the attackers (i.e., they have to create multiple domains), so it appears the attackers did not persist in this tactic.
The changes to Blackhole spam runs were done largely to evade the efforts of various security researchers. As far as end users are concerned, the threat largely remained the same, as the spammed messages themselves still leveraged organizations and popular websites for its social engineering tactics.
It is clear that the cybercriminals behind these attacks are aware of the efforts being made to shut them down, and are responding to try and evade these efforts via the inclusion of new features and upgrades in Blackhole Exploit Kit.