The Blacole exploit pack is sold to attackers for profit. This means attackers are often motivated to use the pack to distribute types of malware that will offset this cost, including:
- Online banking password stealers
- Rogue security software
- Backdoor trojans to leverage additional theft
The first time we saw Blacole it in the wild was June 2011.
can be encountered when you visit a malicious webpage using a computer with vulnerable software installed.
When you visit an infected website you are often presented with a blank page that says: please wait page is loading.
The attack code is heavily obfuscated to make detection more difficult. It uses code exploits for known and 0-day software vulnerabilities in the Sun Java platform, Adobe applications such as Adobe Reader and Adobe Acrobat, and Microsoft components.
may be downloaded as a DLL file on an affected computer, for example %Temp%\wpbt0.dll.
The downloaded malware file is run locally by using the following command:
The following malware are connected to the Blacole family:
The exploit pack has evolved over time to exploit more vulnerabilities, including:
- Unspecified vulnerability in the RDS.Dataspace ActiveX control in Microsoft Data Access Components (MDAC)
- Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier
- Adobe Reader "util.printf" Vulnerability
- Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 (multiple versions) allows remote attackers to execute arbitrary code
- Java buffer overflows in the Deployment Toolkit ActiveX control in "deploytk.dll"
- Adobe Reader and Adobe Acrobat "util.printd" Vulnerability
- Adobe Acrobat Bundled Libtiff Integer Overflow Vulnerability
- Sun Java JRE Trusted Methods Chaining Remote Code Execution Vulnerability
- Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
- Vulnerability in the Java Deployment Toolkit component in Oracle Java SE
- Java argument injection vulnerability in the URI handler in Java NPAPI plug-in
- Microsoft Help Center URL Validation Vulnerability
- Sun Java Runtime New plug-in docbase Buffer Overflow (aka "Java Skyline exploit")
- Sun Java Applet2ClassLoader Remote Code Execution Exploit
- Adobe Flash Player Unspecified Memory Corruption Vulnerability
- Vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier
- Unspecified vulnerability in the JRE component in Java (multiple versions)
- Arbitrary code execution in Oracle Java 7 Update 6 via a crafted applet
- Multiple vulnerabilities in Oracle Java 7
- Vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, and OpenJDK 7
The following is a list of some exploits related to Blacole that we detect:
In the background, the compromised webpage uses an IFrame to redirect the browser and execute a malicious server-side .PHP script on another compromised web server. The following are examples of the script request and format:
The compromised server typically hosts other malware in folders created by an attacker. This other malware uses the following file formats:
It attempts to exploit these related applications to execute its payload:
Adobe PDF Reader
Java Runtime Environment (JRE)
The following are in-the-wild examples of malware hosted on a compromised server and run by the Blacole exploit pack:
can choose from an arsenal of vulnerabilities when it performs an attack. It probes your computer to find out which products you have installed. It can then choose the vulnerability that has the best chance to gain access to your computer. Currently Blacoleuses mainly Java and PDF exploits.
Some of the recent malware files associated with Blacole are:
Loads exploit files
will load exploits based on which software is vulnerable on your computer. These exploits include:
The downloaded families of malware that we have observed include:
You can read more about Blacole related malware in the following blog articles:
Analysis by Shawn Wang, Oleg Petrovsky and Patrick Nolan