WhiteHole Exploit Kit Emerges
In our 2013 security predictions, Trend Micro Chief Technology Officer Raimund Genes predicted that we will be seeing new toolkits this year. True enough, there is news of an emerging exploit kit dubbed WhiteHole Exploit Kit. The name Whitehole Exploit kit is just a randomly selected name to differentiate it from BHEK. While it uses similar code as Blackhole Exploit kit, BHEK in particular uses JavaScript to hide its usage of plugindetect.js, while Whitehole does not. It directly uses it without obfuscating this.
We analysed the related samples, including the exploit malware cited in certain reports. The malware (detected as JAVA_EXPLOYT.NTW) takes advantage of the following vulnerabilities to download malicious files onto the system:
Worth noting is CVE-2013-0422, which was involved in the zero-day incident that distributed REVETON variants and was used in toolkits like the Blackhole exploit kit and Cool exploit kit. Because of its serious security implication, Oracle immediately addressed this issue and released a software update, which was received with skepticism.
The downloaded files are detected as BKDR_ZACCESS.NTW and TROJ_RANSOM.NTW respectively. ZACCESS/SIRIEF variants are known bootkit malware that download other malware and push fake applications. This specific ZACCESS variant connects to certain websites to send and receive information as well as terminates certain processes. It also downloads additional malicious files onto already infected systems.
On the other hand, ransomware typically locks systems until users pay a sum of money via specific payment modes. Senior threat researcher David Sancho wrote a detailed report on how this threat is evolving at a fast pace in his paper, Police Ransomware Update.
WhiteHole Exploit Kit is purportedly under development and runs in “test-release” mode. However, the people behind this kit are already peddling the kit and even command a fee ranging from USD 200 to USD 1800. Other notable features of this new toolkit include its ability to evade antimalare detections, to prevent Google Safe Browsing from blocking it, and to load a maximum of 20 files at once.
Given Whitehole’s current state, we may be seeing more noteworthy changes to the exploit kit these coming months. Thus, we are continuously monitoring this threat for any developments.
Trend Micro protects users from this threat via its Smart Protection Network™ that detects the Java files as well as the downloaded files and blocks all known related URLs. Trend Micro’s Deep Security DPI rule 1004711 – Identified Malicious Java JAR Files also guards systems from the related vulnerabilities exploited in this incident. For ordinary users, Trend Micro Titanium Internet Security provides protection from attacks using the vulnerabilities cited here.
Users are advised to always update their systems with the latest software update provided by vendors and to avoid opening suspicious-looking emails with links.
With additional analysis from Threat response engineer Michael Cabel
Post from: Trendlabs Security Intelligence Blog – by Trend Micro
Read more: WhiteHole Exploit Kit Emerges