It should shock no one that a viable successor to the Blackhole exploit kit has yet to emerge in the criminal underground. It’s been less than three months since the arrest of its alleged creator Paunch sent cybercriminals reliant on the toolkit scrambling for a replacement. And like any profitable business venture, new products must prove their mettle before widespread adoption happens.

“There are many kit vendors and distributors competing for customers and have replaced Blackhole,” explained Kaspersky Lab senior security researcher Kurt Baumgartner. “Over time, a single one most likely will stand out, but that can take a couple of years, like any active criminal marketplace.”

In the meantime, experts are keeping an eye on any number of kits in circulation, each with its own twist on the same business model: Selling website injections for Java, Adobe and other massively deployed products that are vulnerable to exploits that will redirect victims to websites hosting financial malware.

Blackhole was the king of the exploit kits since its debut on the black markets in 2010. It was a refined toolkit of exploits that enabled criminals who rented or leased it to infect computers with crimeware such as the banking Trojans to great profits.

“Blackhole development steadily was completed over time, resulting in a robust feature set. Its popularity overtook the popular Eleonore and Phoenix Kits at the time, in part because it was so frequently and reliably updated with effective exploits and features,” Baumgartner said. “It was highly customizable, provided effective traffic direction features, had multiple operating sales models, the distributors were well connected with additional offensive add-on sellers, and its cost was comparably competitive, among other things.”

Blackhole, along with another alleged Paunch creation, Cool, fell off the market in October shortly after the arrest of its Russian creator. Within days, researchers and customers noticed that the exploit kit was no longer being updated daily with the latest available exploits and a number Blackhole sites were returning gateway errors. The kit’s frequent updates, sometimes twice daily, along with its relatively affordable price ($50 a day, $1,500 for an annual license) went a long way toward making it the exploit kit of choice.

“I think the whole infrastructure around Blackhole was unparalleled at the time,” said Websense director of security research Alex Watson. “I think it’s going to take time for cybercriminals or other competitive exploit kits to get to the same level of proficiency that Blackhole had.”

Watson has observed criminal groups aggressively trying to recover lost revenue post-Blackhole, and shooting for multiple infections on the same machine not only using banking malware but even ransomware such as CryptoLocker.

“In that time, you see experimentation, and definitely, these groups have lost money,” Watson said. “It will be Interesting to see, and a difficult conclusion to come to, as to the overall financial impact these groups have had after Blackhole when they started both more aggressive installations of malware, and then in some cases, more sophisticated or damaging malware to get people to pay.”

As for a successor, Magnitude seems to be the leader in the clubhouse, in particular after a malvertising campaign was uncovered this week on Yahoo sites in Europe redirecting victims to the kit. Magnitude was also used in a hack of php.net in October. French researcher Kafeine ranked it behind Neutrino and has spotted a number of ransomware campaigns using the kit. There is a vast menu of exploits kits on the market, however, including RedKit, Nuclear, Bleeding Life, Sweet Orange, Angler, Sakura, Styx, and others.

“Any of the packs that include aggressive server side polymorphic features, 0day exploits, is reliably updated, and is an effective part of any sustained mass exploitation and stealing effort, is interesting,” Kaspersky’s Baumgartner said.

One as reliable as Blackhole, that’s updated as frequently, is still to be found.

“Another possibility is that these criminal gangs are waiting for these kits to get enough momentum so that they can count on it,” Websense’s Watson said. “And in the meantime, they’ve been investing in other elements of attacks whether it be different types of malware like ransomware variants such as Cryptolocker where you wouldn’t have to have as many versions installed to get quite a bit of revenue coming in for these gangs.”

Some campaigns such as the standby Cutwail spam bot relied heavily on Blackhole for its initial infection vector, and then tried their hand with Magnitude before relying of late on direct attachments or links in spam email to Cutwail downloads.

“What we’ve seen post Blackhole is this immediate cutoff where the URL-based attacks inside these emails declined because of the Blackhole infrastructure going down. And then we see a resurgence of this where Magnitude was used pretty heavily by at least one of these groups but then they dropped off using that as well,” Watson said. “That leaves us speculating, giving us an interesting look at the criminal community that leaves you open to speculate why they experimented with Magnitude and then moved away.”

Watson’s initial thought is that the business case isn’t just right with Magnitude.

“When they adopt exploit kits, it’s a mixture of the frequency of adoption to avoid security solutions and how quickly it incorporates the latest exploits,” Watson said. “The third aspect is the cost of the business arrangement for the exploit kit and if it can be competitive with what Blackhole was before.”

Categories: Malware