Blackhole 2.0 Beta Tests In The Wild?

Recently it was announced via posts in underground forums and Pastebin posts that a new version of the Blackhole Exploit Kit (BHEK), version 2.0, had been released. (The original announcement was in Russian; an English translation has been provided by researcher Denis Laskov and may be found here.)

We cannot confirm that BHEK 2.0 has been fully deployed by cybercriminals yet. However, intriguing evidence suggests that some parts of BHEK version 2.0 are already being beta-tested in the wild.

The announcement explicitly called out changes in the URLs that BHEK uses:


In version 1. * link to malicious payload unfortunately was recognizable for AV companies and reversers, she [sic] looked this kind,. /Main.php?Varname=lgjlrewgjlrwbnvl2. The new version of the link to the malicious payload you can choose yourself, here are some examples: /news/index.php,/contacts.php and so on, now for the moment no one AV can not catch.

 

Let’s look at three recent BHEK spam runs to see where they fit here. One spam run, using the name of the Federal Deposit Insurance Corporation (FDIC), was a classic BHEK 1.x spam run with an infection chain of this format:

hxxp://{compromised domain}/achsec.html
hxxp://{landing page}/main.php?page=0f123fe645ddf8d7

In contrast to this, both the eFax and ADP spam runs used the new URL format. eFax used the following format:

hxxp://{compromised domain}/{8 random characters}/index.html
hxxp://{redirection domain}/{8 random characters}/js.js
hxxp://{landing page}/links/raising-peak_suited.php

ADP used similar URLs for its landing pages as well:

hxxp://69.{BLOCKED}.{BLOCKED}.108/links/systems-links_warns.php
hxxp://108.{BLOCKED}.{BLOCKED}.7/links/differently-trace.php

While these attacks use the URL format of BHEK 2.0, their internals still show signs of BHEK 1.x. We saw use of the plugindetect function in their scripts. However, use of that code was explicitly removed in BHEK 2.0. The following text was directly from the translated announcement:


We not using anymore plugindetect to determine the version of Java that will remove a lot of the bunch of extra code thus accelerating the download bundles

 

This unusual combination indicates that the authors of BHEK 2.0 may still be beta-testing specific features before actually releasing BHEK 2.0 fully into the wild.

We will continue to monitor for new information related to this new threat, and release our findings as appropriate.

Additional text by Lala Manly and Jonathan Leopando

Post from: TrendLabs | Malware Blog – by Trend Micro

Blackhole 2.0 Beta Tests In The Wild?

Read more: Blackhole 2.0 Beta Tests In The Wild?

Story added 14. September 2012, content source with full text you can find at link above.