Recently it was announced via posts in underground forums and Pastebin posts that a new version of the Blackhole Exploit Kit (BHEK), version 2.0, had been released. (The original announcement was in Russian; an English translation has been provided by researcher Denis Laskov and may be found here.)
We cannot confirm that BHEK 2.0 has been fully deployed by cybercriminals yet. However, intriguing evidence suggests that some parts of BHEK version 2.0 are already being beta-tested in the wild.
The announcement explicitly called out changes in the URLs that BHEK uses:
In version 1. * link to malicious payload unfortunately was recognizable for AV companies and reversers, she [sic] looked this kind,. /Main.php?Varname=lgjlrewgjlrwbnvl2. The new version of the link to the malicious payload you can choose yourself, here are some examples: /news/index.php,/contacts.php and so on, now for the moment no one AV can not catch.
Let’s look at three recent BHEK spam runs to see where they fit here. One spam run, using the name of the Federal Deposit Insurance Corporation (FDIC), was a classic BHEK 1.x spam run with an infection chain of this format:
hxxp://{compromised domain}/achsec.html
hxxp://{landing page}/main.php?page=0f123fe645ddf8d7
hxxp://{compromised domain}/{8 random characters}/index.html
hxxp://{redirection domain}/{8 random characters}/js.js
hxxp://{landing page}/links/raising-peak_suited.php
hxxp://69.{BLOCKED}.{BLOCKED}.108/links/systems-links_warns.php
hxxp://108.{BLOCKED}.{BLOCKED}.7/links/differently-trace.php
We not using anymore plugindetect to determine the version of Java that will remove a lot of the bunch of extra code thus accelerating the download bundles
This unusual combination indicates that the authors of BHEK 2.0 may still be beta-testing specific features before actually releasing BHEK 2.0 fully into the wild.
We will continue to monitor for new information related to this new threat, and release our findings as appropriate.
Additional text by Lala Manly and Jonathan Leopando
Leave a reply
