A few hours ago, FireEye published some information related to a new Java 0day exploited in the wild.
The malicious JAR file was served from ok.aa24.net / meeting / index.html
The html loads the Java applet passing some parameters that are used later to build the URL to download the payload. The HTML is encrypted using “Dadong’s JSXX 0.44 VIP”.
The Java applet contains the following two .class files:
- cve2012xxxx/Gondzz.class
- cve2012xxxx/Gondvv.class
The applet check if the system is running Windows and gets the parameters passed from the HTML that contains the URL to download the payload. If the system is vulnerable, the payload is downloaded and executed in the system.
On the analyzed sample the payload is downloaded from ok.aa24.net / meeting / hi.exe
The payload drops C:\WINDOWS\system32\mspmsnsv.dll (replace the file if present) and starts the Portable Media Serial Number Service.
The malware connects to hello.icon.pk port 80. It seems to be a Poison Ivy variant.
hello.icon.pk resolvs to:
223.25.233.244
223.25.233.0 – 223.25.233.255
8 to Infinity Pte Ltd
You can use the following generic Yara rule to detect a malicious .class file exploiting this vulnerability:
A module has just been published for Metasploit so it is time to disable Java in all your systems
And remember to search your logs for connections to the Domains/IPs related to this attack.
Have a great day!
jaime.blasco
At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.
Follow Me:
You can follow any responses to this entry through the RSS 2.0 Both comments and pings are currently closed.
