Installation
Your antivirus software might detect Blacole when you visit a compromised or malicious webpage. A compromised webpage is one in which a hacker has inserted malicious JavaScript code without the webpage owner's knowledge.
When you visit the webpage, the JavaScript code - detected as BlacoleRef - is run.
The Blacole family is designed to load a hidden IFrame that contacts a malicious page that is stored on a web server. This page determines information about your browser, like what browser it is (for example, Internet Explorer or Firefox), what version it is, and what plug-ins or extensions you have installed.
The page then redirects the hidden IFrame to another page (or multiple pages) that specifically uses or exploits only those vulnerabilities that your browser is susceptible to. These vulnerabilities are then used to download malware onto your PC.
In this way, Blacole forms part of a larger process, all of which is designed to have the greatest success of infecting your PC with malware.
The attack code is heavily obfuscated to make detection more difficult.
It uses exploits for known and 0-day software vulnerabilities in the Sun Java platform, Adobe applications like Adobe Reader and Adobe Acrobat, and Microsoft components.
Blacole might be downloaded as a DLL file, for example %TEMP%\wpbt0.dll.
The downloaded file is run by using the following command:
The following malware are connected to the Blacole family:
The exploit pack has evolved over time to exploit more vulnerabilities, including:
- CVE-2006-0003 - Unspecified vulnerability in the RDS.Dataspace ActiveX control in Microsoft Data Access Components (MDAC)
- CVE-2007-5659 - Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier
- CVE-2008-2992 - Adobe Reader "util.printf" Vulnerability
- CVE-2009-0927 - Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 (multiple versions) lets remote hackers to run arbitrary code
- CVE-2009-1671 - Java buffer overflows in the Deployment Toolkit ActiveX control in "deploytk.dll"
- CVE-2009-4324 - Adobe Reader and Adobe Acrobat "util.printd" Vulnerability
- CVE-2010-0188 - Adobe Acrobat Bundled Libtiff Integer Overflow Vulnerability
- CVE-2010-0840 - Sun Java JRE Trusted Methods Chaining Remote Code Execution Vulnerability
- CVE-2010-0842 - Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
- CVE-2010-0886 - Vulnerability in the Java Deployment Toolkit component in Oracle Java SE
- CVE-2010-1423 - Java argument injection vulnerability in the URI handler in Java NPAPI plug-in
- CVE-2010-1885 - Microsoft Help Center URL Validation Vulnerability
- CVE-2010-3552 - Sun Java Runtime New plug-in docbase Buffer Overflow (aka "Java Skyline exploit")
- CVE-2010-4452 - Sun Java Applet2ClassLoader Remote Code Execution Exploit
- CVE-2011-2110 - Adobe Flash Player Unspecified Memory Corruption Vulnerability
- CVE-2011-3402 - Vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1
- CVE-2011-3544 - Vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier
- CVE-2012-1723 - Unspecified vulnerability in the JRE component in Java (multiple versions)
- CVE-2012-4681 - Arbitrary code execution in Oracle Java 7 Update 6 via a crafted applet
- CVE-2012-5076 - Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7
- CVE-2013-0422 - Multiple vulnerabilities in Oracle Java 7
- CVE-2013-0431 - Vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, and OpenJDK 7
- CVE-2013-1493 - Vulnerability in the color management (CMM) functionality in the 2D component in Oracle Java SE 7 Update 15 and earlier, 6 Update 41 and earlier, and 5.0 Update 40
- CVE-2013-2423 - Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7
The following is a list of some exploits related to Blacole that we detect:
Blacole uses JavaScript on its landing page, and uses a number of DOM (Document Object Module) manipulating functions. When a browser visits an infected webpage it creates several browser cache files (temporary Internet files). This might mean detections for Blacole are triggered from within your browser's cache. The number and availability of cache files depend on a number of factors, including the type of browser and its configuration.
In the background, the compromised webpage uses an IFrame to redirect the browser and run a malicious server-side .PHP script on another compromised web server. The following are examples of the script request and format:
- <site name>/main.php?page=abfd0d069b45c17e
- <site name>/main.php?page=43842ba0d45a9da3
- <site name>/main.php?page=8eac7226b6b12c7d
- <site name>/main.php?page=977334ca118fcb8c
- <site name>/i.php?f=16&e=3
The compromised server typically hosts other malware in folders created by a hacker. This other malware uses the following file formats:
It tries to exploit these related applications to run its payload:
- Adobe Acrobat
- Adobe Shockwave
- Adobe PDF Reader
- Java Runtime Environment (JRE)
The following are examples of malware hosted on a compromised server and run by the Blacole exploit pack:
Blacole can choose from an arsenal of vulnerabilities when it performs an attack. It probes your PC to find out which products you have installed. It can then choose the vulnerability that has the best chance to gain access to your PC. Currently Blacole uses mainly Java and PDF exploits.
Some of the recent malware files associated with Blacole are:
- <domain>/data/ap1.php?f=47
- <domain>/data/ap2.php?f=47
- <domain>/data/field.swf
Payload
Loads exploit files
Blacole will load exploits based on which software is vulnerable on your PC. These exploits include:
The downloaded families of malware that we have observed include:
Additional information
The Blacole exploit pack is sold to hackers for profit. This means hackers are often motivated to use the pack to distribute types of malware that will offset this cost, including:
- Online banking password stealers
- Rogue security software
- Backdoor trojans to leverage additional theft
The first time we saw Blacole in the wild was June 2011.
You can read more about Blacole-related malware in the following blogs:
Analysis by Shawn Wang, Oleg Petrovsky and Patrick Nolan
