Files matching the BlackHole2 Exploit Kit signature may indicate the presence of malicious HTML or JavaScript used to deliver payloads, as this kit is commonly leveraged by adversaries to compromise systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential exploit-based attacks before they lead to full system compromise.
YARA Rule
rule blackhole2_htm6 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "a5f94d7bdeb88b57be67132473e48286"
hash1 = "2e72a317d07aa1603f8d138787a2c582"
hash2 = "9440d49e1ed0794c90547758ef6023f7"
hash3 = "58265fc893ed5a001e3a7c925441298c"
hash2 = "9440d49e1ed0794c90547758ef6023f7"
hash0 = "a5f94d7bdeb88b57be67132473e48286"
hash2 = "9440d49e1ed0794c90547758ef6023f7"
hash7 = "95c6462d0f21181c5003e2a74c8d3529"
hash8 = "9236e7f96207253b4684f3497bcd2b3d"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "uniq1.png"
$string1 = "edit.png"
$string2 = "left.gif"
$string3 = "infin.png"
$string4 = "outdent.gif"
$string5 = "exploit.gif"
$string6 = "sem_g.png"
$string7 = "Index of /library/templates/img"
$string8 = "uniq1.png"
condition:
8 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 9 string patterns in its detection logic.
Scenario: Legitimate HTML Report Generation by Report Generator Tool
Description: A system administrator uses a tool like Report Generator Pro to create HTML reports that include embedded JavaScript for dynamic content.
Filter/Exclusion: Exclude files generated by ReportGeneratorPro.exe or files with a report_ prefix in their filename.
Scenario: Scheduled Job for Web Content Updates
Description: A cron job or Task Scheduler runs a script to update a company website, which includes HTML and JavaScript files for interactive elements.
Filter/Exclusion: Exclude files modified by the scheduled task UpdateWebsiteJob or files located in the web_content/ directory.
Scenario: Admin Task Involving JavaScript-Based Dashboard
Description: An admin uses Power BI or Tableau to create a dashboard with embedded JavaScript for data visualization, which may trigger the YARA rule.
Filter/Exclusion: Exclude files with the .html extension that are part of the Power BI or Tableau dashboard configuration.
Scenario: Malicious Code in a Legitimate Web Application
Description: A developer uses a CMS platform like WordPress with a plugin that includes JavaScript for user interaction, which may be flagged by the rule.
Filter/Exclusion: Exclude files located in the wp-content/plugins/ directory or files with a plugin_ prefix.
Scenario: Legacy System with Embedded JavaScript for Compatibility
Description: An older system uses VBScript or JavaScript for legacy compatibility, such as in Microsoft FrontPage or ASP Classic pages.
Filter/Exclusion: Exclude files with a .asp or .asa extension or files located in the legacy_content/ directory.