There is a new malware exploit kit called “Cool,” which allows an attacker to remotely target security vulnerabilities in order to perform a drive by.
While that is not abnormal, researchers said it also can serve up attacks that are able to perform more sophisticated functions, including scanning for browser and operating system and detecting potentially vulnerable plug-ins.
Cool bears a strong resemblance to another popular malware exploit platform, said F-Secure researchers Karmina Aquino and Timo Hirvonen. They found a number of the attack targets, techniques and updates displayed by Cool match that of the Blackhole kit.
The researchers said when new vulnerabilities end up disclosed, Blackhole and Cool often show updates at similar times and target many of the same vulnerable components and versions.
“With all these ‘differences’, it appears that Cool and Blackhole are more than just a tiny bit related,” the researchers said.
There is also a resemblance between the two attack kits at the coding level, performing similar functions and operations when carrying out attacks. Aquino and Hirvonen said when attacking components such as Flash, the two kits even go so far as to use the same file names and code.
“It may be just us, but the version checks by the two kits are very much alike.” the researchers said.
“And when we checked out Cool’s Flash exploits, we can’t help but notice that it uses the same Flash filenames as seen from Blackhole version 1, which happen to exploit the same Flash vulnerabilities.”
As the cybercrime market continues to grow, attack kits have become an increasingly popular tool for spreading malware. The kits can range from free platforms to highly-sophisticated premium attack platforms.