Use of the notorious Blackhole exploit kit has radically dropped since the arrest of its alleged creator "Paunch", according to an independent malware researcher.
The researcher, known as Kafeine, wrote in a blog post that the use of the Blackhole hack tool has almost completely ceased, reporting he has not seen a new variant or system update for the exploit kit in weeks. The news comes less than six weeks after Russian police arrested a man believed to be the author of the exploit kit.
In its heyday Blackhole was the most commonly used exploit kit in the world. Security firm F-Secure estimated that Blackhole accounted for 27 percent of the exploit kit market in March. Exploit kits are publicly traded hack tools that let criminals automatically mount a variety of cyber scams and attacks.
In the past the Blackhole exploit kit has been linked to numerous phishing scams that sent malware-laden messages claiming to come from legitimate companies, such as the BBC and CNN. Before Paunch's arrest the Blackhole kit received a constant stream of updates designed to let it target newly discovered vulnerabilities.
FireEye malware research engineer Josh Gomez told V3 the rapid decrease in Blackhole usage is likely due to the lack of new vulnerability updates. "Blackhole's curator (Paunch) is no longer actively maintaining the exploit kit since his arrest. We see the drop in activity and it correlates to the timeframe of his arrest," he said.
"The Blackhole and Cool exploit kits were typically rented and leased, allowing the author to keep tighter control over the framework and offer an enhanced level of service or customisation to customers. With his removal from the exploit kit marketplace, Blackhole customers will find themselves needing to switch to other exploit kits as current Blackhole services expire or are dismantled."
Gomez said it is likely that a new criminal group will fill the gap and release a new exploit kit. "While we don't know of any specific groups picking up where Blackhole left off, it has left a void that is sure to be filled by other exploit kits or copycat authors who want to capitalise on the opportunity to bring new crimeware tools to the marketplace," he said.
Global technical consultant at Damballa and ex-Scotland Yard cybercrime unit detective Adrian Culley mirrored Gomez's sentiment, arguing that it will only be a matter of time before a new kit appears.
"Fighting the source of malware is much like trying to slay the mythical Hydra, for each head you cut off, two more will grow in its place. Given the difficulties in indexing the web, and seeing what exactly lies behind html pages, it is highly unlikely that this is the last we have seen of this malware. The dark web is like dark matter, we know it's there, but it's very hard to say exactly where, and what the dark data consists of," he said.
These comments mirror past criminal behaviour patterns following an exploit kit author's arrest. A similar pattern occurred earlier this year when a man believed to have created the Phoenix exploit kit was arrested.