The Latest in IT Security

BlackHole Kit Doesn’t Like Chrome

06
Dec
2012

Recently, we’ve started to see the BlackHole Exploit Kit (BHEK) using plain HTML files (instead of iframes) as redirectors to the exploit page.

The content of the HTML file will usually be a page displaying a “loading” or “please wait” or “connecting to server” type of message, with background JavaScript which will redirect the victim to the real BHEK attack page:

HTML of BHEK attack landing page

Here is the source code for those .JS files:

HTML of second stage (relay) pages

The JavaScript in the second-layer site just performs a redirection to the real exploit page. I believe the purpose of having several JavaScript redirections is to have redundancy and increase the reality of the redirection.

Some of the JavaScript is in plain and readable text, and some is obfuscated:

redirection page with obfuscated javascript

De-obfuscated version:

deobfuscated version

When a victim is redirected to the PHP file that serves the real exploits, the script will first check the user agent string to identify the browser. If it is found to be Chrome, it will redirect the victim to yet another page, with a fake Chrome update installer.

screenshot of fake chrome update page

Here is the VirusTotal scan result of the fake Chrome update installer: https://www.virustotal.com/file/a13483a02f4a52cbeea1387add13cb34b769c0fc7555c8c75c7f18060f0bc934/analysis/

If Firefox or Internet Explorer was used instead of Chrome, the PHP file will serve the normal BHEK payload, which will usually attempt to exploit multiple vulnerabilities that exist in Acrobat Reader, Java, and Internet Explorer.

part of BHEK attack script

So why not Chrome? I assume this is due to the features in Chrome itself that will ask for permission before running Java applets, and Chrome will also render PDF in its own built in PDF reader (rather than using Adobe Reader). So if you want to perform a proper analysis on BHEK, make sure you ‘wget’ with the proper user agent, or use ‘view-source’ accordingly.

That’s all from me for now. Stay safe!

— Adnan Shukor

@xanda

Leave a reply


Categories

SATURDAY, OCTOBER 20, 2018
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments

Social Networks