JS/Exploit-Blacole.ht

This page shows details and results of our analysis on the malware JS/Exploit-Blacole.ht

Overview

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Avast     - JS:Blacole-CX
  • Drweb   - JS.Redirector.145
  • Sunbelt - Trojan.JS.Obfuscator.aa 


Minimum Engine

5600.1067

File Length

Varies

Description Added

2012-09-15

Description Modified

2013-09-26

Malware Proliferation

Characteristics

------------- Updated on 26 Sep, 2013 --------------------

“JS/Exploit-Blacole.ht” is a generic detection for malicious Java code that exploits a vulnerability that allows the execution of arbitrary code.

Also it will check for the installed components such as flash plug-in and it looks for vulnerable version of flash.

“JS/Exploit-Blacole.ht” is a generic detection for obfuscated JavaScript that points to an Iframe to a remote malicious site.

“S/Exploit-Blacole.ht” is an obfuscated JavaScript that could be embedded into compromised websites. This Trojan will redirect the user to malicious websites and download other malwares or execute browser exploits.

The above injection techniques redirects to the below URL in order to make a connection to the malicious URL with the help of iframe.

  • h x x p : / / depre.zdro[removed].pl/QfMpDFjg.php

---------------------

------------------------------Updated on 31 Jul 2013-------------------------------------------------------------

Aliases

  • Fortinet        -    HTML/IFrame.AHQ!tr.dldr
  • Microsoft      -    Trojan:JS/BlacoleRef.CZ
  • Avast             -    JS:Redirector-AOW

JS/Exploit-Blacole.ht” is the detection for JavaScript contained within Web pages.

JS/Exploit-Blacole.ht” is a JavaScript Trojan that redirects the browser to a malicious website. 

  “JS/Exploit-Blacole.ht” is an obfuscated JavaScript that could be embedded into compromised websites. This Trojan will redirect the user to malicious websites and download other malwares or execute browser exploits.

Whenever the user visits a compromised website containing this malicious JavaScript, it redirects the browser to malicious site with help of iframe.

Also this detection uses the following recent injection techniques in order to make a connection to randomly generated malicious domain.

<!--0c0896-->
<!--/0c0896-->

The below are the malicious iframe injected in the compromised web under the div class id ” cyal”.
  • dent[Removed].uk
  • HXXP://91[Removed]rv/esd.php


------------------------------Updated on 30 Jul 2013-------------------------------------------------------------

Aliases

  • Fortinet                  -    JS/Agent.GWJ!tr.dldr
  • Microsoft               -    Trojan:JS/BlacoleRef.DD
  • ESETNOD32       -    JS/Kryptik.AMO

Characteristics

JS/Exploit-Blacole.ht” is the detection for JavaScript contained within Web pages.

JS/Exploit-Blacole.ht” is a JavaScript Trojan that redirects the browser to a malicious website.

 “JS/Exploit-Blacole.ht” is an obfuscated JavaScript that could be embedded into compromised websites. This Trojan will redirect the user to malicious websites and download other malwares or execute browser exploits.

Whenever the user visits a compromised website containing this malicious JavaScript, it redirects the browser to malicious site with help of iframe.

Also this detection uses the following recent injection techniques in order to make a connection to randomly generated malicious domain.

<!--0c0896-->
<!--/0c0896-->

The below are the malicious iframe injected in the compromised web under the div class id ” uuuc”.

  • hxxp://stoni[Removed]cnf/rel.php

------------------------------Updated on 13 June 2013------------------------------------------------------------

Aliases-

  • Kaspersky    -    Trojan.JS.Iframe.AEP
  • Drweb        -    JS.IFrame.454
  • Fortinet    -    HTML/IFrame.AHQ!tr.dldr
  • Ikarus        -    Trojan.JS.BlacoleRef
  • Microsoft    -    Trojan:JS/BlacoleRef.CZ

“JS/Exploit-Blacole.ht” is the detection for JavaScript contained within Web pages.

“JS/Exploit-Blacole.ht” is a JavaScript Trojan that redirects the browser to a malicious website. 

 “JS/Exploit-Blacole.ht” is an obfuscated JavaScript that could be embedded into compromised websites. This Trojan will redirect the user to malicious websites and download other malwares or execute browser exploits.

Whenever the user visits a compromised website containing this malicious JavaScript, it redirects the browser to malicious site with help of iframe.

Also this detection uses the following recent injection techniques in order to make a connection to randomly generated malicious domain.

<!--0c0896-->
<!-- /0c0896-->

The below are the malicious iframe injected in the compromised web under the div class id ” djpt”.

http://[Removed]a-ind.jp/clicker.php

------------------------------Updated on 13 June 2013-------------------------------------------------------------

“Js/exploit-blacole.ht” is the detection for JavaScript contained within Web pages.

“Js/exploit-blacole.ht” is a JavaScript Trojan that redirects the browser to a malicious website.

  “Js/exploit-blacole.ht” is an obfuscated JavaScript that could be embedded into compromised websites. This Trojan will redirect the user to malicious websites and download other malwares or execute browser exploits.

Whenever the user visits a compromised website containing this malicious JavaScript, it redirects the browser to malicious site with help of iframe.

The below are the malicious iframe injected in the compromised web under the div class id ” tum”.

hxxp://seta[Removed]ura.ne.jp/050504veteran/clk.php

------------------------------Updated on 9 June 2013-----------------------------------------------


Aliases-

  • F-Secure    -     JS:Trojan.Crypt.MT
  • Kaspersky    -     Trojan.JS.Iframe.aen
  • Microsoft    -     Trojan:JS/BlacoleRef.CZ



“JS/Exploit-Blacole.ht” is the detection for JavaScript contained within Web pages.

JS/Exploit-Blacole.ht” is a JavaScript Trojan that redirects the browser to a malicious website that contains an instance of the "Blackhole" exploit kit.

The "Backhole" exploit kit may exploit vulnerabilities in certain software that may be installed in the victim computer. After the successful exploitation, it may lead to the download and execution of other malicious files.

Also this detection uses the following recent injection techniques in order to make a connection to randomly generated malicious domain.

<!--0c0896-->

<!--/0c0896-->

The above injection techniques redirects to the following URL

  • hxxp://br[Removed]fart.de/cnt.php

 ------------Updated on 5 June 2013----------


“JS/Exploit-Blacole.ht”
is the detection for JavaScript contained within Web pages.

“JS/Exploit-Blacole.ht” is a JavaScript Trojan that redirects the browser to a malicious website.

Whenever the user visits a compromised website containing this malicious JavaScript, it redirects the browser to malicious site with help of iframe.

“JS/Exploit-Blacole.ht” is an obfuscated JavaScript that could be embedded into compromised websites. This Trojan will redirect the user to malicious websites and download other payload or executes browser exploits.

The "Backhole" exploit kit may exploit vulnerabilities in certain software that may be installed in the victim computer. After the successful exploitation, it may lead to the download and execution of other malicious files.

Also this detection uses the following recent injection techniques in order to make a connection to randomly generated malicious domain.

<!--0c0896-->
<!--/0c0896-->

The below are the malicious iframe injected in the compromised web site.

  •  hxxp://jap[Removed]mo.gr.jp/veherl/rel.php
  • hxxp://iris[Removed].de/clik.php

-------------Updated on1 June 2013-----------

“js/exploit-blacole.ht” is the detection for JavaScript contained within Web pages.

“js/exploit-blacole.ht” is a JavaScript Trojan that redirects the browser to a malicious website.

Whenever the user visits a compromised website containing this malicious JavaScript, it redirects the browser to malicious site with help of iframe.

The below are the malicious iframe injected in the compromised web site under the div class id”ggnwb”.

hxxp://gahm[Removed]i.ru/count21.php

-------------Updated on 31May 2013-----------

“JS/Exploit-Blacole.ht” is a generic detection for malicious Java code that exploits a vulnerability that allows the execution of arbitrary code. Also it will check for the installed components such as flash plug-in and it looks for vulnerable version of flash.

“JS/Exploit-Blacole.ht” is a generic detection for obfuscated JavaScript that points to an Iframe to a remote malicious site.

“JS/Exploit-Blacole.ht” is an obfuscated JavaScript that could be embedded into compromised websites. This Trojan will redirect the user to malicious websites and download other payload or executes browser exploits.

Upon execution, tries to load the java script and redirect the user to the following URL with help of iframe:

hxxp://a[Removed]b.ca/_mm/dtd.php

-------------Updated on 30 May 2013-----------

Aliases

Avira        -    JS/EXP.Redir.EL.7 Java script

“JS/Exploit-Blacole.ht”
is the detection for JavaScript contained within Web pages.

“JS/Exploit-Blacole.ht” is a JavaScript Trojan that redirects the browser to a malicious website that contains an instance of the "Blackhole" exploit kit.

The "Backhole" exploit kit may exploit vulnerabilities in certain software that may be installed in the victim computer. After the successful exploitation, it may lead to the download and execution of other malicious files.

Also this detection uses the following recent injection techniques in order to make a connection to randomly generated malicious domain.

<!--0c0896-->
<!--/0c0896-->

The above injection techniques redirects to the following URL hxxp://g[Removed]uias.com/imagens/count.php in order to make a connection to the below malicious URL with the help of iframe.

hxxp://208.69.[Removed].200/4423d1aa2ce3a75ea21e3cddf9dc57f0/a.php

------------- Updated on 27 Apr 2013 -----------

Aliases

  • Kaspersky    -    Exploit.JS.Agent.bmh
  • Microsoft       -    Exploit:JS/Blacole.KH
  • Ikarus           -    Exploit.JS.Blacole


JS/Exploit-Blacole.ht” is a generic detection for malicious Java code that exploits a vulnerability that allows the execution of arbitrary code. Also it will check for the installed components such as flash plug-in and it looks for vulnerable version of flash.

JS/Exploit-Blacole.ht” is a generic detection for obfuscated JavaScript that points to an Iframe to a remote malicious site.

JS/Exploit-Blacole.ht” is an obfuscated JavaScript that could be embedded into compromised websites. This Trojan will redirect the user to malicious websites and download other malwares or execute browser exploits.

The above injection techniques redirects to the below URL in order to make a connection to the below malicious URL with the help of iframe.

  • hxxp://tra[Remove]/hmtg.html
  • 74.53.[Removed].213


------------- Updated on 20 Apr 2013 -----------

JS/Exploit-Blacole.ht” is a generic detection for malicious Java code that Exploit-CVE2010-0188 a vulnerability that allows the execution of malicious java script.

JS/Exploit-Blacole.ht” is a JavaScript Trojan that redirects the browser to a malicious website that contains an instance of the "Blackhole" exploit kit.

The "Backhole" exploit kit may exploit vulnerabilities in certain software that may be installed in the victim computer. After the successful exploitation, it may lead to the download and execution of other malicious files.

Trojan checks the installed component versions such as Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 and allows the attacker to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors.

Upon successful exploitation the Trojan tries to execute the malicious Java script to download the other payloads.

Upon execution the Trojan tries to connect the below URL though remote port http in order to download the other payloads and it listens to an random port 1392

  • hxxp://man[Removed]nppa.ru:8080/forum/links/column.php
  • hxxp:// man[Removed]nppa.ru:8080/favicon.ico
  • hxxp://man[Removed]nppa.ru:8080/forum/links/column.php?lpsv=350308350a&fezjq=3307093738070736060b&mciwuld=03&bjywtn=wrn&ntomaith=ouzq
  • u[Removed]s.microsoft.com
  • f7.dd.33.st[Removed]ic.xlhost.com

Trojan also drops the files in the below location

  • %UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\8IB8LMS5\calc[1].exe
  • %Temp%\A9R6B77.tmp
  • %Temp%\exp1B0.tmp
  • %Temp%\exp1B1.tmp
  • %Temp%\exp1B1.tmp.exe
  • %AppData%\\C6B6D942\C6B6D942
  • %AppData%\KB00782382.exe

The following are the registry key values have been added to the system

  • HKey_User\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\KB00782382.exe: ""%AppData%\KB00782382.exe""

Symptoms

Because this is a generic detection there is no specific description of the activity undertaken by JavaScript detected under this name, however these can include malicious activity such as downloading and executing files or scripts.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, browsing compromised websites.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants