14 DAY TRIAL // After the world found out that the developer of the infamous BlackHole exploit kit had released the 2.0 version, most cybercriminals have probably started looking for it. However, as it turns out, not everything that’s advertised as BlackHole 2.0 is the real deal.
Experts stumbled upon a website that allegedly advertises the exploit pack. All the features are listed and there’s a button at the bottom of the page which supposedly leads to a download link.
After closely analyzing the site, Symantec researchers have noticed that, in reality, all the features are actually the ones of BlackHole 1.x, not of the new variant.
The website is actually relying on the name and reputation on BlackHole 2.0 to advertise something entirely different. A blue box at the top of the page offers Russian-speaking customers services such as domain name registration, server hosting, and JavaScript and iframe encryption.
Experts believe that those who set up the site aren’t connected to BlackHole in any way, and they might not even own it. Instead, they turned to its name in order to advertise other services that are usually utilized by cybercriminals.
“Altogether these services could offer cybercriminals a complete infrastructure to be used for hosting cybercrime operations. In fact, the website advertising encryption and the one advertising domain registering are both well known for providing infrastructures aimed at ‘dirty ops’,” Lionel Payet of Symantec explained.
Researchers determined that the 2.0 variant of the exploit kit is not offered on these pages because the name of the page is bhstat.php – a known filename for the old version -, and there aren't any other BlackHole PHP pages present.
The only thing that’s related to the recently released version is a Java pack, but that’s only mentioned by name, probably to make everything more legitimate-looking.