The author of the notorious BlackHole has admitted to be behind a recently uncovered exploit pack dubbed Cool Exploit Kit, which has been used to distribute ransomware.
According to Brian Krebs, Cool Exploit Kit – which is currently being rented for $10,000 (8,000 EUR) per month – incorporates only custom zero-day exploits.
“Everyone is aware of the problem which exists now on the exploit market! To solve this problem, our team prepared the following exclusive program of purchasing new browser and browser plugin vulnerabilities,” the malware authors said when they announced the new exploit kit.
“Not only do we buy exploits and vulnerabilities, but also improvements to existing public exploits, and also any good solutions for improving the rate of exploitation. The ‘meat’ of the project: We are setting aside a $100K budget to purchase browser and browser plug-in vulnerabilities, which are going to be used exclusively by us, without being released to public.”
It’s uncertain how many cybercriminal gangs are currently using the new exploit kit, but it’s believed that it’s utilized exclusively by two groups that make a profit by extorting money from internauts with the aid of the Reveton ransomware.
One of the groups is said to be making around $400,000 (310,000 EUR) per month from their schemes, which means that they could easily afford to rent the expensive crime kit.
French security researcher Kafeine was among the first to notice the connection between the BlackHole and the Cool exploit kits. He found that, shortly after an exploit used in Cool would become publicly known, it would be integrated into BlackHole.
Back in November 2012, researchers from Sophos also studied a campaign that leveraged Cool Exploit Kit to spread ransomware. At the time, they also noted that Cool was very similar to BlackHole.