SecurityTube

New Whitehole Exploit Kit Spotted in Cyber-Underground

JB

The name BlackHole looms large over the marketplace for crimeware kits, but a new player is said to have emerged with similar code and a similar name.

Known as Whitehole, the kit is different from BlackHole in that it does not use JavaScript to hide its use of plugindetect.js; instead, it directly uses it without obfuscation. Among its features is its ability to evade anti-malware detection efforts, prevent Google Safe Browsing from blocking it and load a maximum of 20 files at once.

"We [analyzed] the related samples, including the exploit malware cited in certain reports," according to Trend Micro. "The malware (detected as JAVA_EXPLOYT.NTW) takes advantage of the following vulnerabilities to download malicious files onto the system: CVE-2012-5076, CVE-2011-3544, CVE-2012-4681, CVE-2012-1723 [and] CVE-2013-0422."