14 DAY TRIAL // A new variant of the Blackhole exploit kit may be in the works, if we are to believe the security researchers at Malwarebytes, who recently stumbled over an older version of the exploit kit deployed in live campaigns.
The Blackhole exploit kit was one of 2013's most dangerous threats, infecting millions and earning criminals, according to authorities, over 70 million Russian Rubles (2.1 million USD / 1.5 million EUR, *according to 2013's exchange rates).
Russian police eventually cracked down on its operator, a Russian hacker that went under the name of Paunch, arresting him in October 2013, together with 12 other suspects.
Soon after Paunch's arrest, the Blackhole exploit kit's source code was leaked online. Usage increased right after, but with its source available, security vendors were able to easily nullify its actions.
Usage rates dropped as there was nobody left to maintain the code, and slowly, cyber-gangs replaced Blackhole with other more dangerous threats like Magnitude, Angler, Neutrino, or the Nuclear EKs.
Someone may be trying to update Blackhole's code
In one of today's most surprising news, Malwarebytes is reporting new signs of life coming out of a malicious campaign that uses Blackhole.
The researchers say that the exploit kit's code is the same as the original, but criminals are using it to deliver new malware payloads using Java and PDF exploits.
The new attacks were detected over the weekend, and the updated malware payloads have a very low detection rate on Google's VirusTotal scanning engine.
Fortunately, since the older Blackhole kit is used to infect victims, almost all modern security tools are capable of detecting the threat and stopping intrusions in due time.
"We are not quite sure why this old exploit kit is being used in live attacks considering the infection rate would be quite low due to the aging exploits" said Jérôme Segura from Malwarebytes. "One hypothesis could be that the source code being public, it is a free platform that can be built upon and updated."
