Blackhole exploit tool, a tool for running drive-by download
attacks, has made a comeback two years after its author arrest, according to
Malwarebytes.
The security firm has detected that cybercrooks have been using
Blackhole as a malware to make use of leaked code from the software. It has
been highly using in active drive-by download campaigns via compromised
websites.
“We noticed Java and PDF exploits collected by our honeypot
which we haven’t seen in ages. Looking closer at the structure of this attack,
we were surprised when we realized this was the infamous Blackhole,” the
researchers from Malwarebytes wrote in a blog.
According to the researchers, the new drive-by download
attacks on the same structure as the original Blackhole, even reusing the old
PDF and Java exploits.
“The only difference is the malware payload being dropped,
which is current and had very low detection on VirusTotal,” they said.
The server used to host the exploit infrastructure happens
to be fully browsable (thanks @MeJz024 for the tip). The folder structure shows
with no doubt this is taken straight from the Blackhole source code that had
been leaked.
The researchers have analyzed that although the exploits are
old, there are probably still vulnerable computers out there who could get
compromised.
And, it is also believed that the author of the Blackhole
edition was working on new landing pages, so it is possible there might be
additional changes in the future.
“We are not quite sure why this old exploit kit is being
used in live attacks considering the infection rate would be quite low due to
the aging exploits,” they added.
However, they have assumed that the reason could be that the
source code being public, it is a free platform that can be built upon and
updated.