2013-10-11 - Landscape

Paunch's arrest...The end of an Era !

snipshot of :
Spin up of a Supermassive Black Hole 
Illustration Credit: Robert Hurt, NASA/JPL-Caltech

Note: This post is a work in progress. Not all group have transitioned. So I will update (if I am able to spot them again) and add some links to significant external posts.
Disclaimer: I do not have the telemetry Antivirus or IDS Vendor can have...sure we could have a better picture than that.

If you are reading this you already know that Paunch, the coder behind Blackhole, has been arrested.

What i will try to cover here is the transition/impact of this on the groups using the Blackhole/Cool EK weapon.
The evolution of what i can see from the "driveby battlefield".

The Actors :

Here are the main groups I am aware of who were using the Blackhole or the Cool EK at the time of arrest. I will describe the distribution, the threats but won't talk (maybe only for now) about the way they handle the "poke a mole" with the Defense (Domains, IPs).

- "Reveton Team" or "Mr.J/MonsterAV" : Cool EK lately on tcp 1024

Cool EK "Reveton" - 2013-10-07 01:37
First customer from Cool EK. I would say their golden age was 1 year ago. They were infecting more than 30k machines a day with Reveton when Cool EK was released (stats were easy to gather)

Distribution : Traffic coming from multiple sources including lately CookieBomb ("Tale of the North" Iframer)
Threat : Mainly Reveton (some Live Security Professional?) . Hundreds of Samples a day. Around 30 threads.

- One Urausy affiliate member (or BestAV itself??) : Cool EK /index.php?p=

Cool EK "Urausy/FakeAV" & Urausy Calling Home
2013-10-04 07:00
Distribution : From what I saw mainly Porn Malvertising and few compromised websites.
Threat : Urausy / Fake AV. See: The missing link - Some lights on "Urausy" affiliate 2013-05-29

- Home Gang  (or q.php or Darkleech fuelled) :

/Home/ Blackhole - 2013-09-30
Distribution : Traffic from Darkleech Module (installed on compromised server via Cpanel/ Parallels Plesk vulns)
Filtering IE only both on the Darkleech Side and on the Blackhole itself.
Threat : They were pushing Pony which was then (depending of your country) pushing Urausy or Nymaim.b (which itself was loading Zaccess or Nymaim.a Ransomware). 1 thread, around 30 rotation a day.

See : Late Disclosure - Darkleech Actors /Home/ - some numbers 2013-10-10 (more reading there)

- Ex-Tkr  /i/last blackhole (or CDorked.A Fuelled) :

Ex-Tkr Blackhole Pushing Carberp.J (MS) aka Glupteba.G (Eset)
Distribution : As far as i know mostly Cdorked.A module installed on server running compromised Cpanel/Parallels Plesk, and some fake porn website
Threats : 3 threads, 2 payloads familly : Carberp.J (200ko) and Leechole (50ko)
More than 240 samples a day (15-20 for Carberp - and around 110 for each Leechole).

See: Linux/Cdorked.A malware: Lighttpd and nginx web servers also affected 2013-05-07 Marc-Etienne M. Léveillé 2013-07-05

- /closest/ Blackhole :

BH EK Closest pushing the STI (pay per install clickfraud) Payload

Distribution : Lately, mainly LinkedIn spam redirecting to some compromised wordpress.
Threats : Zaccess, Cutwail, STI (Pay Per install clickfraud affiliate tied to Zaccess). They pushed some Cridex in the past too.

- /topic/  - Zeus Game Over gang :

This is the blackhole with the highest number of threads. Not sure it can be operated by only one guy. Or he must be really well organised !

/topic/ BH EK pushing  2 payloads (ZGO & Dipverdle (a loader) )
Distribution : Many compromised website (OT: they are also working a lot by mail attachments)
Threats : More than 60 threads. More than 2000 rotating samples a day.
 The main activity is pushing Pony (different for many threads) as a loader for ZeusGameOver.
But we could see also : Medfos, MagicTraffic (PPI ClickFraud tied to Zaccess), some fakeav, even Kovter Ransomware.

- /ngen/ Blackhole

/Ngen/ Blackhole pushing Citadel (you can see the call home : /ckt/ ) and Zaccess
Note the duqu like front drop (shrift.php - CVE-2011-3402)
Distribution : A lot of compromised website with a TDS sharing (hosted with?) the infrastructure of the Blackhole. (/sword/in.cgi may remind you things)
Threats : Shylock, Zaccess, those day (but some Sinowal, Ursnif, Zbot, Citadel in the past too)

- /xlawr/ Blackhole

/xlawr/ Blackhole pushing FakeRean
Distribution : mainly compromised websites.
Threats : 2 threads around 50 samples a day: Zaccess and FakeRean 855ko

- Customer "hosted 1" in Rented mode (will cover the main based on traffic amount and longevity).

Distribution : Compromised website, 2 step (with a js on another compromised site as TDS)
Threat : 1 thread, 3 payloads. For instance :
525226d13a45ade20dafbe9f9c9a2a23 (Pony)
2964a7f348b0bb9cf1c0228faf4b59b5 (Zaccess)
871943c23662e6da246aa34534ba47aa (zbot)

- /news/ Blackhole

/news/ BH EK pushing Zeus Game Over
Distribution : mainly via spam (lately related to Pinterest)
Threats : fast rotating thread...hard to follow. Lately pushing ZeusGameOver
But in the past they were pushing Cridex/Bugat, or Inlev.B gathering Tesch.A (Zaccess?), or Ursniff
Some of their domains : bbb-complaints.org, pinformer.net, cool-mail.net
They are not new in the business : http://blog.dynamoo.com/2012/06/wire-transfer-hp-spam-and.html
Some Urlquery traces

- /vague/ Blackhole

This blackhole was hard to find. It was the infector for the Citadel /ppp/ that made some noise for being Japan and Germany focused.

I won't talk about /adfasdfksjdfn/ Sinowal BH EK (while still reachable it's not in use anymore) neither the white/purple Cool EK which is blinking (and quite surely built on a leak of Cool EK Code) neither the /reveals/ or /news/ blackhole  (except if i spot the groups after transition).

That day: 2013-10-07

This was ground breaking for me...Seeing the source that could only be true.
That really sounds like....malware now need coffee ...or anxiolytic.

I tried to find some kind of evidences.

I knew it was up few days earlier cause I gave it a visit again after the  "Expanding Business: JavaScript Cryptor Offered by Author of Blackhole Exploit Kit" post from Fortinet. (2013-10-01)

Two hours after the tweet, Underground started to react.

Verified :

Verified - Cleaning Mode 2013-10-07
Few hours after the tweet goes viral.

Exploit .in :

Paunch Blackhole forum thread :

Paunch renamed

I also noticed that "Sweet Orange" account was active (trying to get some news I guess).
Nuclear Pack was not anymore on both of these forum but still on darkode.

Neutrino Author's reaction :
Price increase for non Russian customers to 10k/month
<edit:2013-10-11>Now 1 000 000$ per month - See advert here : http://pastebin.com/raw.php?i=6xZDGadQ </edit>

Since then we can see some actors trying to reach Paunch associates in Cool EK or find new solution

"желаю Панчу мужества и побыстрее решить проблемы, но несмотря ни на что работать то нужно"
that mean something like :
"I wish Paunch courage and quickly solve the problem, but no matter what we need to work"


"Ребят, если кто работал с панчем по приватному проекту связки - дайте знать. Я - один из клиентов. "
that can be translated as :
"Guys, if anyone has worked with Paunch for a private Exploit Kit project - let me know. I am one of the clients."

That same day i tried to make a "photo" of the battlefield state (going on each of the exploit kit illustrated here)

2013-10-07 - between 2 and 3  hours after the news goes viral
What can we see : The Rented Blackhole are already out.
The Darkleech/Home one is also 502ing.
(I was wondering if the operators are not part of the "partners" mentionned in the tweet).
ALL exploit kit are using an almost 4 days old Jar.
In fact it's a simplification cause there are 3 jars (depending of your config) which are :

3bebb777a0b3e7d416a6327a4777b630 - CVE-2013-2465
c61923eb060b42b6d27373b2d44e7839 - CVE-2013-2460
3478966161745cf3401b2a534523a4bc - CVE-2013-0422

And guess what ? you still can't find newer one on Blackhole.
Just now :

Sploit folder state in one of those blackhole.

The Transition :

- "Reveton Team" or "Mr.J/MonsterAV" : 

The redirector linked to the "Tale of the North" iframer restarted the redirect only 5 hours after the tweet traffing to Whitehole.

2013-10-07 5 hours after the tweet
Reveton team has already switched to WhiteHole
That was a weird move knowing the conversion rate of this Exploit Kit.
And it did not take long.

The day after the group was moving again. And what i thought was a Whitehole mutation, was more an intermediate state (to avoid loosing traffic?)  :

Reveton team transitionning from WhiteHole (tcp 2780) to ....
Something New on tcp80 - 2013-10-08
ProTransition ! No interruption.
And here is the Reveton Group in it's state today :

Angler EK pushing Reveton
I won't make a full post about what we will call Angler EK. One Jar Exploit kit for now.
Xoring payload with key easily found on the landing. No Jsdetect. For sure it's an emergency solution.

Why Angler EK ? cause we can't name this a Monster EK.

Advert for Reveton/Live Security Pro Distribution
(nice Angler Fish ! )
Files: Angler EK Fiddler (owncloud via goo.gl)

- Ex-Tkr  /i/last blackhole (or CDorked.A Fuelled) : 

Reading this : Close encounter with Linux/Cdorked.A - Kimberly 2013-10-13 - Stopmalvertising
It seems this group has moved to Neutrino (>>  Seems like those guy talk Russian :) ). Same infection source (compromised website with CDorked.A, same TDS and Domain Pattern).

Thanks Kimberly for the solid Referer 

Ex-TKR Neutrino Thread 2013-10-14
Pushing quite surely Carberp.J/Glupteba.G
Payload:  95ffc438836b4bddb4d85faebde775cd  260ko...Should be Carberp.J/Glupteba.G
One more : 0622efb24e8436d50d14f387fdb31fac

And one more pass (from FR to get the Leechole)

Ex-TKR Neutrino Thread 2013-10-14
Pushing maybe Leechole
Payload : feb4dd00e920170c0d0320ab170c83fa 100ko Should be Leechole.

But calls are sligthly different (an upgrade ? something else? ):
-----C&C----- tcp 8000
GET /stat?uptime=100&downlink=1111&uplink=1111&id=0002D9BC&statpass=bpass&version=20131011&features=30&guid=4c59a191-ced9-40d6-887f-1c2d0668a4a6&comment=20131011&p=0&s= HTTP/1.0
(via  Joe Sandbox Cloud )

Files:  3 payloads (Owncloud via goo.gl) Would love any feedback on those samples.

- /news/ Blackhole
They are back on Magnitude. By mail again (pinterest stuff).

/news/ Blackhole operators are now on Magnitude
Three payloads pushed via recently integrated CVE-2013-2551
Here :
ebfe57976c5840a578dd60f997418689  Zaccess
c4d71b94cfe3adbba8f43d927a0d8a0f MS: Inlev.?
35a613825af980eb1010e8462d5acc1d ZeusGameOver

From US same pass dropped me a 4th Payload which was : aa0f08a3fab179a071b1576fd3755a8e (Tesch.B)

Files:  3 payloads (Owncloud via goo.gl) Would love any feedback on the first two samples.
See also : Cutwail Spam Swapping Blackhole for Magnitude Exploit Kit 2013-10-18 - Dell Secureworks CTU

- /vague/ Blackhole : 

They move to Nuclear Pack. Here in action :

Nuclear Pack (rejecting non JP traffic) pushing Citadel

Payload : d6ed9120d489227c7195cb792581f068

- Home Gang  (or q.php or Darkleech fuelled) :

No Exploit Kit spotted for Now
Nymaim: Browsing for trouble - 2013-10-23 - Jean-Iain Boutin - Eset

- /topic/  - Zeus Game Over gang :

No Exploit Kit spotted for Now
Zgo keep spreading via mail attachment (source : Dell SecureWorks), now using Upatre.
Read: Upatre: Another Day Another Downloader Brett Stone-Gross and Russell Dickerson - 2013-10-04

- /ngen/ Blackhole :

"Ngen" Sutra traffing to Nuclear Pack.
Threats : Zaccess (SmartPrivate) & Shylock
Payloads :
6123a7fde34de0237c644e5e1381af50 Zaccess
5c446faa9ebebfc9de85dc84c7559d07 Shylock

--- Blackhole still receiving Traffic 2013-11-26 ---

--- That's all folks. For now ---

If you have any intel, information, question about this, I'd love to hear about it. [email protected]
Clarification: I did not contact Media as it is written here or there. I only replied to questions I received in my mailbox following some tweets (please consider it before thinking : "Media Whore").

PS  : Sharing is part of our defenses. Crediting is part of the trust/sharing process. You can freely use data from here but please, don't be a douchebag, credit your source. Each time I see/read/hear someone bragging with data he easily gathered here (without crediting)... the idea "stop the share" "pop" in my mind.

Reading :
2013-12-06 - Google Translate of the Official Announcement - Russian Ministry of Internal Affairs
2013-12-06 - Group-IB assists to suppress activities of the “Blackhole” exploit-kit author, said “Paunch” is arrested - Group IB