Attackers really like exploit kits because they offer users the ease of point-and-click exploitation, lots of potential targets and don’t require a huge amount of technical knowledge to use. Attackers also enjoy Microsoft vulnerabilities, especially unpatched ones, because of the massive installed base, and at least some of the users of the Black Hole exploit kit have begun using the exploit for the critical MSXML vulnerability in their attacks.
The CVE-2012-1889 vulnerability in the MSXML component in Internet Explorer has been in use by attackers for several weeks now in various scenarios. The first attacks were using malicious Office documents as the delivery mechanism for the exploit code, and they were being launched even before the vulnerability information was public. A second wave of attacks began shortly after the bug data was published, and that series was using malicious Flash files to deliver the exploits.
There is a module in the Metasploit Framework that can be used to exploit the MSXML vulnerability as well, and researchers say that the attackers behind some versions of Black Hole have been using an exploit that looks a lot like the Metasploit code.
“Sure enough, within a week, CVE-2012-1889 exploiting code very similar to that published to Metasploit was seen within the landing page of a Blackhole exploit kit site,” Sophos researcher Fraser Howard wrote in a blog post.
“The code is bundled alongside the various other exploits that Blackhole currently targets. The landing page itself is obfuscated in the usual manner we expect for Blackhole, using the latest anti-emulation tricks in an attempt to thwart detection.”
Black Hole is a dangerous and widely used exploit kit that is sold on underground sites, much as similar kits such as Phoenix and Eleonor are, and it includes exploits for a variety of vulnerabilities. Which exploits are included can depend upon which version of the kit you buy and from whom you buy it. But once an exploit is available in one version, it could then spread to other versions of Black Hole or other exploit kits altogether.