2013-06-01 - There's no honor among thieves

Silence Exploit Kit new brows.....oh wait !

Silence Exploit Favicon
(for the thumbnail)


Silence Exploit Kit Logo
A "new" Exploit Kit is advertised since one month underground. Thanks @UnicornSec for spotting the advert. But if you are busy...just jump to the end.. :) not worth your time.

Thread title :
★♛★NEW ★Silence Exploit  Private Exploit Pack   High Rates   FUD ★ NEW★♛★

Screenshot of the advert
When you click on the Vouches : Spoiler

Silence Exploit Kit - "Vouches"

And the bottom logo in the sig is animated.

Silence Exploit Kit animated logo in "The Silence" signature.


Usually it's the moment where you have to try to find something new...and then make sure it match. But seeing this :

Invitation to register
I just tried...but the IP of that domain was already familiar
174.120.157.71
21844 | 174.120.0.0/14 | THEPLANET-AS | US | SOFTLAYER.COM | THEPLANET.COM INTERNET SERVICES INC.


Silence Exploit Kit
Login/Register Screen
Now i'll show the registering process and inside...but you should better fly fast over it cause you may waste your time.

Register - Step 1 - User infos
Register - Step 2 - Verify Data
Register - Step 3 - Finish
Silence Exploit Kit - Home - Dashboard
Silence Exploit Kit - Home - My Profile
Silence Exploit Kit - Exploit - My Files
www.toptonic .bz
5.45.179.44
29141 | 5.45.176.0/21 | BKVG | DE | PROVIDERDIENSTE.DE | BRADLER & KRANTZ GMBH & CO. KG

At that exact moment I knew almost for sure what was all this about and why first IP was familiar.
Note that going on : www.toptonic .bz you see


And that was familiar too.

Part of the source code of toptonic .bz index.
Note : www.revolutionmt2 .net
174.120.184.70
21844 | 174.120.0.0/14 | THEPLANET-AS | US | SOFTLAYER.COM | THEPLANET.COM INTERNET SERVICES INC.

I was hoping not finding evident link..but so obvious that i can't ignore....see later...

Silence Exploit Kit - Exploit - My Thread
Silence Exploit Kit - Exploit - My Stats.
Empty...no active thread...but what is worth noticing is that it's a Popup
And that does not fit with the other part of the user interface (but perfectly stick to my deep feeling).
Silence Exploit Kit - Scan Service
Silence Exploit Kit - Crypt Service

Silence Exploit Kit - Traffic Service
Silence Exploit Kit - Buy Services

And now...Here was my feeling. All this is just Blackhole subletting ! 
5.45.179.44 is an IP of a bad bad range that I associate to a Blackhole that appear on my radar (but was surely operationnal before) on the 2013-05-08  with landing : /transport/posted-sorts.php on TCP port 5555 of IP 5.45.176.207

Checking the server a little I was able to figure out that the mothership (that I usually never disclose - but in that case that serve the explanation) was : 174.120.184.68
Original config was like :

bhadmin : progress
bhstat : service
links : transport
library : fatal
data : continuous
files : locked

We could think it's a shared server...but one user of the forum posted his stats :

Silence...euh Blackhole Exploit Kit Stats with some cosmetics.
And the popup embed in fact the "bhstats" (see the scroll bar).
While writing : bhstat = service


And that also explain why this Blackhole is so active. I have seen at least 46 distinct file threads in one month. Few blackhole have such a "thread activity". And also a good number of reverse proxy.
Right now :

Positive IP to "The Silence" Blackhole
in  5.45.176.0/21
On the mother range :

Positive IP to "The Silence" Blackhole in his mothership Range...
70...oh  noze...Jo !
This one is also the same owner :
174.122.75.162

In my opinion 2 real server. One by softlayer with (at least) 5 ips, and one by BKGV with two range acting as a proxy.


For the activity you can see on Urlquery :

Cuted PrintScreen of Urlquery /transport/ search
Some files gathered from this Blackhole - http://pastebin.com/xXaV1Hae :
Files : http://goo.gl/m8qiC (Owncloud)
Some payload from BH EK /transport/
Won't spend time in studying that. Some Betabot, UmbraLoader, Bitcoin miner. But we could have guess based on the forum and :
Comment about "The Silence"
And in fact...we could have guess more far earlier...

The Silence trying to Rent his Rented Blackhole
At that time someone asked him, and it's still a valid question:

Question about his blackhole subletting back in november
We could have a lot of smile reviewing the 29 pages (2013-06-01) thread...but let's finish that.

"this pack really is the best of the best when it comes to exploit packs" - The Silence

And now embarrassed silence...

For those who jump straight from the beginning : this is a Subletting of Blackhole Exploit Kit. A Fancy front-end to interact with the owner (sic) of the  BH EK that often come on tcp 5555 (but not always) with /transport/ as thread folder. Let's forget about that :)

<edit2 2013-06-02 22:00> Seems the written explanation is not really good so i added a small illustration.


Illustration
(hope will reply to questions)

In fact thinking about it, it's more like a frontend to "The Silence" who is doing manually all modification on the blackhole. I guess sometimes you have to wait few hours before getting your thread.
</edit2>
2013-06-02 - Edit 1Added the files as I have been asked for.

<edit3 2013-06-07>
/transport/ is now /v12/
</edit3>