{"id":9274,"date":"2013-01-08T00:00:04","date_gmt":"2013-01-08T07:00:04","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=9274"},"modified":"2018-01-30T11:12:53","modified_gmt":"2018-01-30T18:12:53","slug":"black-hole-exploit-kit-authors-vertical-market-integration-fuels-growth-in-malicious-web-activity","status":"publish","type":"post","link":"https://www.webroot.com/blog/2013\/01\/08\/black-hole-exploit-kit-authors-vertical-market-integration-fuels-growth-in-malicious-web-activity\/","title":{"rendered":"Black Hole Exploit Kit author’s ‘vertical market integration’ fuels growth in malicious Web activity"},"content":{"rendered":"

Historical cybercrime performance activity of multiple gangs and individuals has shown us that, in order for them to secure multiple revenue streams, they have the tendency to multi-task on multiple fronts while operating and serving the needs of customers within different cybercrime-friendly market segments.<\/p>\n

A logical question emerges in the context of the fact that 99% of all the spamvertised campaigns we’re currently intercepting rely on the latest version of the Black Hole Exploit Kit<\/strong><\/a>\u00a0– is Paunch, the author of the kit, multi-tasking as well? What’s the overall impact of his ‘vertical market integration<\/strong><\/a>‘ practices across the Web beyond maintaining the largest market share of malicious activity in regard to Web malware exploitation kits?<\/p>\n

Let’s find out by discussing two of his well known revenue sources and sample a campaign that’s relying on the managed iFrame\/Javascript crypting\/obfuscating service that he’s also operating.<\/p>\n

More details:<\/p>\n

<\/p>\n

Sample advertisement for the iFrame\/Javascript crypting\/obfuscating service operated by Paunch, within the kit’s control panel:<\/strong><\/p>\n

\"Paunch_Black_Hole_Exploit_Kit_Advertising\"<\/a><\/p>\n

This is the most popular advertisement that was featured within the kit since day one, in an attempt by its author to not only achieve a decent brand awareness for the service, but also actually convert his current Black Hole Exploit Kit customers into customers of the crypting\/obfuscating service as well. The results? Pretty decent conversion rates, based on a systematic tracking of the pseudo-random obfuscations generated by the service, and actually used in campaigns intercepted in the wild.<\/p>\n

At a later stage, things slightly changed, perhaps due to the fact that Paunch’s service has gained the necessary market share. The author of the kit started soliciting advertisements from fellow cybercriminals, like the following ad:<\/p>\n

\"Paunch_Black_Hole_Exploit_Kit_Advertising_02\"<\/a><\/p>\n

What’s so special about the iFrame\/Javascript crypting\/obfuscation service operated by Paunch? It supports multiple crypting\/obfuscating algorithms, as well as API keys, allowing ‘on-the-fly’ obfuscation for his customers to take advantage of.<\/p>\n

Sample entry page for Paunch’s crypting\/obfuscating service:<\/strong><\/p>\n

\"Paunch_Black_Hole_Exploit_Kit_Advertising_05\"<\/a><\/p>\n

Sample Black Hole Exploit Kit campaigns’ pseudo-random obfuscation examples that used Paunch’s service:<\/p>\n