Blackhole exploit kit makes a surprising encore appearance

Malwarebytes saw an attack that reused old exploits, probably limiting its effectiveness

The Blackhole exploit kit has made a surprising reappearance two years after cybercriminals stopped using it, according to security vendor Malwarebytes.

Exploit kits are frameworks planted on Web pages that try to find software flaws on the computers in order to silently install malware.

Blackhole was one of most popular exploit kits, but it faded from prominence after its alleged creator, who went by the nickname Paunch, was arrested in Russia. The kit was sold or rented to other cybercriminals in the underground economy for hacking tools.

About four years ago, the source code for Blackhole was leaked, which led to more cybercriminals using it. But exploit kits require quite a bit of ongoing maintenance, and fresh exploits for new vulnerabilities need to be integrated to maintain high infection rates. 

For some reason, whoever decided to start using Blackhole recently made a large error and left the server that hosted the exploit kit's infrastructure open on the Internet, which allowed Malwarebytes to take a look.

blackhole exploit kit Malwarebytes

Malwarebytes said the server hosting the Blackhole exploit kit's infrastructure was unprotected.

The attack seen by Malwarebytes uses old PDF and Java exploits, wrote Jerome Segura, a senior security researcher for Malwarebytes, in a blog post on Tuesday.

"Although the exploits are old, there are probably still vulnerable computers out there who could get compromised," Segura wrote. "We are not quite sure why this old exploit kit is being used in live attacks considering the infection rate would be quite low due to the aging exploits." 

Join the CSO newsletter!

Error: Please check your email address.

More about Malwarebytes

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

More videos

Blog Posts