Chrome Playing Hard to Get with Blackhole Exploit Kit

Google’s Chrome browser is something of a tough customer for the infamous and widely deployed Blackhole Exploit Kit, according to Blue Coat security researcher, Adnan Shukor.

Google’s Chrome browser is something of a tough customer for the infamous and widely deployed Blackhole Exploit Kit, according to Blue Coat security researcher, Adnan Shukor.

Shukor notes there has been an uptick in the kit’s use of plain HTML files, instead of iframes, to redirect users to exploit pages. While the malicious HTML file is loading, users are presented with some sort of loading, waiting, or connecting to server message before they get redirected to the compromised site.

After the redirect, a script kicks in to check the user agent string and identify the browser. If the browser is detected as Internet Explorer or Firefox, then Blackhole executes its normal payload, attempting to exploit any number of Reader, Java, or Internet Explorer vulnerabilities. However, if a user is operating on the Chrome browser, a second redirect takes place, leading that user to fake Chrome update installer that they must agree to download.

Chrome update

Shukor claims the disparity in the way Blackhole exploits Chrome and its method for other browsers likely has to do with Chrome’s rendering of PDF files in its non-Adobe PDF reader and a feature that requires user permission before running Java applets.

The Blackhole Exploit Kit has been around for years and shows no signs of slowing down. It got an upgrade back in September that added a number of new features that make it harder for researchers to access and reverse-engineer the kit, to URL randomization that makes tracking down compromised sites nearly impossible, to replacing old, less effective exploits with new ones, less likely to be patched on user-machines.

Not a week, it seems, goes by where you don’t read some story about some new iteration or use of the kit, whether it’s spoofing some payroll confirmation email or masquerading as a Facebook alert.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.

Discussion

  • Rafa Salário Mínimo on

    What about Internet Explorer 10 Metro (modern)?

  • Sean de Erio on

    what if they had a internet security?

  • Jumex on

    Shukor disregards mobile browsers like Safari, which are also addressed differently by Blackhole. That might be because Bluecoat proxies typically analyze traffic from internal organizational networks which don't really provide much data on mobile browsers. That's an interesting gap to fill in this review.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.