A new exploit kit pushing out the Reveton ransomware was noticed in the latter half of last year. Connections to Blackhole were soon revealed. Now it seems that the same gang is behind both kits.
In November, the French researcher known as Kaffeine was examining the distribution of the Reveton malware via the new Cool EK (now better known as simply Cool Exploit). “Be ready to see same kind of post for Blackhole 2.0 (or update to 2.1) soon, as chances are HUGE that Paunch is indeed behind Cool EK code,” he wrote. Paunch is the nickname used by the Blackhole author.
What has emerged, however, is not the merging of Blackhole and Cool Exploit but their separation into two distinct products serving two distinct market segments. Blackhole, notes Brian Krebs, “has emerged as perhaps the most notorious and ubiquitous crimeware product in the Underweb.” Now, however, the author (Paunch) “has begun buying up custom exploits to bundle into a far more closely-held and expensive exploit pack, one that appears to be fueling a wave of increasingly destructive online extortion schemes.”
It would seem that Paunch has made enough money from Blackhole to fund the development and expansion of Cool Exploit. Krebs quotes an associate of Paunch from an underground forum, “We are setting aside a $100K budget to purchase browser and browser plug-in vulnerabilities, which are going to be used exclusively by us, without being released to public (not counting the situations, when a vulnerability is made public not because of us). Not only do we purchase weaponized (ready) exploits, but also their descriptions and proof of concepts (with subsequent joint work with our specialists).”
Read more: http://www.infosecurity-magazine.com/view/30090/if-you-think-blackhole-is-dangerous-watch-out-for-cool-exploit/
