Blackhole Comes Back to haunt; Java and Acrobat become the first Victim

By CIOReview | Saturday, November 21, 2015

FREMONT, CA: The Blackhole exploit kit, once popular among cyber-criminals, makes its return. According to researchers with security firm Malwarebytes, blackhole is attempting to infect with old exploits, showing its spry evolution.

Malwarebytes perceived attacks using older exploits for Oracle's Java and Adobe's Acrobat, and on further investigation they found that; a dreadfully secured server had Blackhole installed on it. Recalling the leaked code in 2011, the research firm observes that the code is being reused by cyber-criminals. "Blackhole was well-written, and we have seen in the past, like with Zeus, that a lot of criminals do not reinvent the wheel. They will use older infrastructure and build on top of it," says Jérôme Segura, Senior Security Researcher, Malwarebytes Labs.

The 2011 release of code for both Zeus cyber-crime kit and the Blackhole exploit kit helped criminals as a common software platform in establishing new methods and in 2013 Russian authorities arrested the author of the Blackhole exploit kit. Even after the arrest of the author, the exploit kit continued to find users but it slowly got outdated. The notorious kit mainly consisted of Web-based vulnerabilities tailor made to deliver malware payloads of the buyer's choice to compromised systems. But the latest findings of Malwarebytes shows that Blakhole’s original malware payload has been modified a little but basically runs on the same exploits. Nevertheless, the future of Blackhole cannot be decided as yet.

 "It may be a trap designed to track down honeypots, which typically have lowered security settings and would not get updated as often as consumer machines." Segura continues. "If that were the case, their goal would be to identify security crawlers and scanners and add them to a blacklist."