Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Blackhole Exploit Kit v2

A few days ago a new version of THE most common exploit kit was released. Unlike most exploit kit authors, who try to keep a low profile, the author of Blackhole publishes his work in Russian forums and even writes detailed information regarding his new product.

BSL_7858_0bc9b9cd-ed88-4367-8b4e-b2dce2215515
Figure 1: Blackhole Exploit Kit v2 login panel

 

Notice, the login panel requires to enter a CAPTCHA to avoid automatic scanners that guess default passwords, this feature is not new in exploit kits, but definitely not common.

Let's review the important changes that have been made in Blackhole Exploit Kit v2 compared to the Blackhole Exploit Kit v1:

Basically, the author of Blackhole has put a lot of effort into avoiding Anti-Viruses vendors' and Security Researchers' detection, and focuses less on new obfuscation techniques.

Let's compare the new variant of Blackhole Exploit Kit with the old one:

BSL_12732_f6392b32-c98a-432b-bb71-562d41e2a3a2
Figure 2: Blackhole Exploit Kit v2 obfuscated code

 

The older version:

8371_25ddf76a-b95a-4a77-9c80-0d7f95f5d28b
Figure 3: Blackhole Exploit Kit v1 obfuscated code

 

By comparing the code in the two screenshots above, we can see that the core of the obfuscation algorithm is the same. First, the "try/catch" technique,second is some obfuscated code loaded from the DOM using "getElementsByTagName",and finally a set of basic math operations that opens the obfuscated code and executeit.

This is what the de-obfuscated code of Blackhole Exploit Kitv2 looks like:

7658_0262c2fa-446e-43a0-a852-8f8e644849c6
Figure 4: Blackhole Exploit v2 de-obfuscated code

 

According to the screenshots above the new version of Blackhole focuses on evasion techniques: For example, in the code above the PDF and the Jar files are loaded using a unique link that is generated specifically for the user and is valid only for a limited amount of time (definitely a pain in the ass…). As for the files them selves, we will publish a technical analysis of the PDF and Jar exploits served by the new version of Blackhole in a later blog post.

Let's take a closer look at some more interesting stuffadded in the new version:

9236_4f85c65f-c8e4-45ea-91ce-ad5e48549f1b
Figure 5: Blackhole Exploit Kit v2 control panel - Security section

 

Referrers

This option allows the administrator to allow access to theexploit page only from specific referrers which can be configured using thecontrol panel. The administrator can also configure whether to block access tothe exploit when no referrer is present.

Bot List

Blackhole exploit kit holds a list of 132,220 bot IPs which can beautomatically blocked by the engine. This way the exploit kit is not exposed toautomated security crawlers.

7730_061d9738-78fc-4ea1-94ea-b8c8b16cd700
Figure 6: Bots List

ToR List

This feature is really annoying. Blackhole ExploitKit v2 contains an IP list of ToR endpoint nodes, so if this flag is turned on, security researchers won't be able to use ToR for analysis.

Figure 7: ToR List
Figure 7: ToR List

 

Upon installing the exploit kit a list of 2,147 ToR nodes are loaded into the database and are updated automatically.

Recording Mode

This one is a really cool feature: once the attack campaigns over, the administrator can switch their blackhole exploit kit v2 into a "monitoring mode" of sorts. In this stage the exploit kit is not supposed to receive any traffic, therefore, the exploit kit author assumes the incoming traffic belongs to security vendors. The IPs that are captured during that time are reported back to Blackhole author and added to the list of bots.

BSL_8300_21543759-3c1e-4f09-86d9-59a964e0ae30
Figure 8: IP collected list

 

These captured IPs inserted into the database and published to Blackhole customers.

Now let's view the new control panel settings:

BSL_7688_03fac588-dba2-4024-bda5-2000d09850d5
Figure 9: Blackhole Exploit Kit v2 control panel - Preferences section

 

In this new version of Blackhole exploit kit, the administrator can define when the engine will replace the current domain with anew one to avoid Anti-Virus detection. Using the "Antivirus Check" feature, the exploit kit tests the URL of the exploitation page with underground Anti-Virus websites (Vir Test and Scan4you). The administrator can control the change rate of the URL after it has been discovered by a certain number of Anti-Virus vendors.

"Threads" is pretty similar to older version of Blackhole,where the administrator can create multiple attacks with different viruses.

Figure 10: Blackhole Exploit Kit v2 control panel - Threads section
Figure 10: Blackhole Exploit Kit v2 control panel - Threads section

 

The significant feature added in this section is the "Traffic" feature. Unlike older version of the Blackhole Exploit Kit, the new version serves the exploit only one time per IP address. The administrator can configure a webpage or a message to users that continue to access the server more than once.

In conclusion, it is clear that this new generation of Blackhole Exploit Kit puts a lot of effort into new evasion techniques that are aimed towards making the lives of security researchers as difficult as they can be while taking the focus off obfuscation techniques, which used to be the main theme in exploit kit updates in the past. .

Needless to say, customers of Trustwave Secure Web Gateway(SWG), version 10.1 and higher, are protected by default with no need for anyfurther update.

Thanks to my colleague Anat Davidi for her contribution tothis post.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More