Moscow cops cuff suspect in Blackhole crimeware bust

$50-a-day malware kit set miscreants back more than priciest software licence

The infamous Blackhole Exploit Kit has gone dark following the reported arrest in Russia of a suspect whom police believe is linked to the malware.

Blackhole has been the preferred tool for running drive-by download attacks and therefore a menace to internet hygiene for the last three years.

A suspect linked to Blackhole was arrested by Russian police earlier this week, Europol confirmed, without giving details.

The Russian authorities have not as yet released the name of the suspect or any other details of their investigation.

Drive-by badness

Blackhole is one of the most popular crimeware toolkits, serving browser-based exploits and the like from compromised websites in order to distribute malware. The hacker tool was authored by a person calling themselves "Paunch" and is essentially a web-based application. It first reared its ugly head in late 2010, and quickly became a common find for malware researchers investigating compromised websites.

Cybercrooks must first find a site that can be exploited before planting the exploit kit, often exposing users of legitimate sites to Blackhole-powered attacks.

The exploit kit attempts to download malware on the PCs of visiting surfers by taking advantage of any unpatched browser, Java or Adobe Flash plug-in vulnerability it manages to find.

Malware distributors also create links in spam messages that point to exploit portals hosting Blackhole, an alternative approach that gets around the need to hack legitimate websites before planting malicious code.

The end goal is both cases is to push various strains of malware onto vulnerable PCs.

$50 a day... even the baddies want you to rent their software!

A revamped version of the Blackhole Exploit Kit (version 2) was released just over a year ago in September 2012. The follow-up features support for Windows 8 and more sophisticated technologies for circumventing security defences.

The release also includes a spruced-up user interface – so the tool can now be used by the less technically able criminal – as well as a revised licensing structure that puts a greater emphasis on renting rather than buying the software.

Malware authors have caught on to the trend of leasing out rather than selling software. Rental prices for Blackhole run from $50 a day while leasing the software for a year costs around $1,500.

Earlier this year the Cool Exploit Kit surfaced online. Cool, also allegedly built and maintained by "Paunch", is essentially a more sophisticated and expensive version of Blackhole that reportedly costs a hefty $10,000 in monthly rental fees compared to $500 a month for Blackhole.

Blackhole ‪accretion disc‬ stops spinning

Several sources in the security industry claim that the malicious kit, which is normally updated at least once or twice a day, has not been updated for several days.

Malwarebytes reports that updates to the kit have ceased over recent days. – a service used to encrypt the exploit kit – is down.

Meanwhile security researcher and long-time Blackhole-watcher Kafeine has published a graphic showing how the malicious Java applet, which is normally updated between once and twice a day, hasn’t changed for at least five days.

Malwarebytes is careful to note that these events are only offer circumstantial evidence that something has been done to deactivate the Blackhole ecosystem. The antivirus firm says that even though an arrest has been made, it's possible cops should be looking for multiple suspects.

Nonetheless the current hiatus in Blackhole malfeasance is cause for cautious optimism, not least because it might severely inconvenience cybercrooks who relied on the black hat tool.

"Criminals who 'rent' the Blackhole exploit kit will no longer receive updates and eventually the exploit and payload are going to go stale," Malwarebytes explains in a blog post. "Those that host the exploit kit themselves have more control in that they could (if savvy enough) make some alterations to the kit to 'keep it alive'."

Displacement effect

The end effect may be to displace net fraudsters onto less-sophisticated and developed kits, rather than forcing them to give up on their preferred scams for want of suitable utilities, according to Malwarebytes.

"In all likelihood, we are going to see cyber-crooks migrate their infrastructure towards other exploit kits very soon. In fact, Kafeine already spotted that the Reveton distribution moved from a Cool EK (maintained by Paunch) to a Whitehole exploit kit," it adds.

"If it’s true that the brains behind the Blackhole has been apprehended it’s a very big deal – a real coup for the cybercrime-fighting authorities, and hopefully cause disruption to the development of one of the most notorious exploit kits the web has ever seen," writes veteran security watcher Graham Cluley.

Fraser Howard, a senior virus researcher in SophosLabs, struck a more cautious note in a blog post looking at malicious activity since the arrest of a suspect allegedly linked to Blackhole.

"Assuming that the players behind Blackhole have indeed been removed from the game, it is possible that the apparent decline we have seen in the past week will continue," he writes. "That would mean that the prevalence of Blackhole landing pages and exploit content would go down, and stay down."

Recent daily stats from Sophos show that the Neutrino, Glazunov and Sibhost exploit kits are currently dominant, but use of Blackhat/Cool also dipped in August. All these stats really tell us for sure is that other exploit kits are available.

"With other exploit kits already dominant in the market, a decline in Blackhole activity would not necessarily mean a change in the overall threat landscape. Criminals who used to use Blackhole services could simply migrate to other exploit kits.

"That said, an arrest is definitely good news," he concludes.

A whitepaper by Sophos on the Blackhole Exploit Kit can be found here.

More details on the cybercrime ecosystem created around the Blackhole Exploit Kit can be found in a blog post by independent security researcher Dancho Danchev here. ®

Similar topics

Broader topics

Narrower topics

Other stories you might like

  • World Economic Forum wants a global map of online crime
    Will cyber crimes shrug off Atlas Initiative? Objectively, yes

    RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

    The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

    This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals' supply chain to develop better mitigation strategies and security controls for their customers. 

    Continue reading
  • NSO claims 'more than 5' EU states use Pegasus spyware
    And it's like, what ... 12, 13,000 total targets a year max, exec says

    NSO Group told European lawmakers this week that "under 50" customers use its notorious Pegasus spyware, though these customers include "more than five" European Union member states.

    The surveillance-ware maker's General Counsel Chaim Gelfand refused to answer specific questions about the company's customers during a European Parliament committee meeting on Thursday. 

    Instead, he frequently repeated the company line that NSO exclusively sells its spyware to government agencies — not private companies or individuals — and only "for the purpose of preventing and investigating terrorism and other serious crimes."

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • Interpol anti-fraud operation busts call centers behind business email scams
    1,770 premises raided, 2,000 arrested, $50m seized

    Law enforcement agencies around the world have arrested about 2,000 people and seized $50 million in a sweeping operation crackdown of social engineering and other scam operations around the globe.

    In the latest action in the ongoing "First Light", an operation Interpol has coordinated annually since 2014, law enforcement officials from 76 countries raided 1,770 call centers suspected of running fraudulent operations such as telephone and romance scams, email deception scams, and financial crimes.

    Among the 2,000 people arrested in Operation First Light 2022 were call center operators and fraudsters, and money launderers. Interpol stated that the operation also saw 4,000 bank accounts frozen and 3,000 suspects identified.

    Continue reading
  • Cloud services proving handy for cybercriminals, SANS Institute warns
    Flying horses, gonna pwn me away...

    RSA Conference Living off the land is so 2021. These days, cybercriminals are living off the cloud, according to Katie Nickels, director of intelligence for Red Canary and a SANS Certified Instructor.

    "It's not enough to pay attention to the operating systems, the endpoints, said Nickels, speaking on a SANS Institute panel about the most dangerous new attack techniques at RSA Conference. "Adversaries, a lot of their intrusions, are using cloud services of different types."  

    And yes, living off the land (or the cloud), in which intruders use legitimate software and cloud services to deploy malware or spy on corporations and other nefarious activities, isn't a new type of attack, Nickels admitted. "But what's new here is the levels to which using cloud services [for cyberattacks] has risen." 

    Continue reading
  • Microsoft seizes 41 domains tied to 'Iranian phishing ring'
    Windows giant gets court order to take over dot-coms and more

    Microsoft has obtained a court order to seize 41 domains used by what the Windows giant said was an Iranian cybercrime group that ran a spear-phishing operation targeting organizations in the US, Middle East, and India. 

    The Microsoft Digital Crimes Unit said the gang, dubbed Bohrium, took a particular interest in those working in technology, transportation, government, and education sectors: its members would pretend to be job recruiters to lure marks into running malware on their PCs.

    "Bohrium actors create fake social media profiles, often posing as recruiters," said Amy Hogan-Burney, GM of Microsoft's Digital Crimes Unit. "Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware."

    Continue reading
  • Cops' Killer Bee stings credential-stealing scammer
    Fraudster and two alleged accomplices nabbed in joint op

    An Interpol-led operation code-named Killer Bee has led to the arrest and conviction of a Nigerian man who was said to have used a remote access trojan (RAT) to reroute financial transactions and steal corporate credentials. Two suspected accomplices were also nabbed.

    The trio, aged between 31 and 38, were detained as part of a sting operation involving law enforcement agencies across 11 countries: Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Nigeria, Philippines, Singapore, Thailand, and Vietnam. 

    The suspects were arrested in the Lagos suburb of Ajegunle and in Benin City, Nigeria. At the time of their arrests, all three men were in possession of fake documents, including fraudulent invoices and forged official letters, it is claimed.

    Continue reading

Biting the hand that feeds IT © 1998–2022