When authorities in Russia arrested Paunch, the alleged creator of the Blackhole exploit kit, last month, security researchers and watchers of the malware underground predicted that taking him off the board would put a dent in the use of Blackhole and force its customers onto other platforms. Six weeks later, it now appears that Blackhole is almost gone and the Cool exploit kit, another alleged creation of Paunch, has essentially disappeared, as well.
The Cool exploit kit isn’t as well-known as Blackhole, but it is just as dangerous and was being sold at a much higher price during its heyday. Blackhole is one of the more venerable exploit kits for sale on the underground markets and it has been very popular with a variety of attackers and malware gangs over the years. It’s often used in drive-by download scenarios to compromise users’ machines through the use of browser exploits or exploits for plug-ins such as Java or Flash. Blackhole customers could buy a yearly license for about $1,500 or even just rent it for a day for $50. Cool could rent for as much as $10,000 a month.
A malware researcher who uses the name Kafeine and closely follows the sale and use of exploit kits has looked at the major groups that have been using Cool and Blackhole in recent years and found that Cool is virtually gone from the exploit kit landscape. The only crew still using Cool is the Reveton gang, which Kafeine said was the first major customer for the exploit kit, and has been using it for more than a year to push their ransomware. Reveton has taken many forms in its lifetime, showing up as fake FBI or Justice Department warnings about illegal content on a user’s machine.
The Reveton gang is still using Cool, but it’s not the main version of the kit. Like many of the other exploit kits, there are so-called private versions of Cool available for sale to premium customers at premium prices. They often will include private zero day vulnerabilities not available to other users and extra features. Kafeine said via email that the Reveton crew is using its own version of Cool these days.
“Cool has disappeared with Paunch. Main user (reveton Team) is now on a ‘private’ EK that we decided to name Angler EK,” Kafeine said.
The Angler exploit kit was the first to add the Microsoft Silverlight vulnerability CVE-2013-0074. As for Blackhole, there are still a handful of attack groups using it, but Kafeine said that he has seen about a 98 percent drop in the usage of that exploit kit since the arrest of Paunch.
“[Blackhole] is almost dead,” he said.
The one main group that’s using Blackhole is known as /closest/ and has been pushing out LinkedIn spam with malicious links to pages that deliver the exploits. The crew is using Blackhole for a variety of purposes, including pushing the Cutwail bot, some pay-per-click malware and other threats.
Image from Flickr photos of NASA Goddard Space Flight Center.