New Java Attack Introduced into Cool Exploit Kit

A new exploit has been found in the Cool Exploit Kit for a vulnerability in Java 7 Update 7 as well as older versions, a flaw that’s been patched by Oracle in Java 7 Update 9.

A new exploit has been found in the Cool Exploit Kit for a vulnerability in Java 7 Update 7 as well as older versions, a flaw that’s been patched by Oracle in Java 7 Update 9.

Cool Exploit Kit was discovered last month and is largely responsible for dropping the Reveton ransomware. A new Metasploit module was introduced last night by researcher Juan Vazquez, developer Eric Romang said. Romang, a frequent Metasploit contributor, suggested it’s likely the exploit has been in the wild for a period of time and has only now been integrated into an exploit kit.

A researcher who goes by the handle Kafeine and runs the Malware don’t need Coffee site found the exploit in Cool late last week while looking for something else entirely—the latest Adobe Reader zero-day. The new Java exploit, a sandbox escape, targets vulnerability CVE-2012-5076 that was repaired in Oracle’s October 2012 Critical Patch Update. Attackers can run arbitrary code on compromised machines, Romang said.

According to the Open Source Vulnerability Database, the vulnerability is in the Java Deployment subcomponent.

Researchers are concerned now that this exploit is in Cool Exploit Kit, it could find its way into the Black Hole Exploit Kit. Kafeine speculates on his site that Paunch, the author of Black Hole, could be behind Cool as well. “Many, many signals,” Kafeine told Threatpost as to why. First, he has seen the same exploit pack, including the same files and MD5 hashes in both. He also said two groups using Cool are associates of Paunch and shared exploits previously.

Kafeine was able to infect a Windows 7 machine running Internet Explorer 9 with the Java 7u7 plug-in. The exploit did not work on 7u9, he said.

Reveton ransomware surfaced in August appearing in a phony message supposedly from the FBI. Users are infected via drive-by downloads on sites hosting the malware. The malware locks a user’s computer, and displays a message that the computer’s IP address has been linked to child pornography. The written English on the warning is poor, a tip-off the situation is a scam. Regardless, the computer remains locked until a “fine” or ransom is paid. Officials said some victims pay the ransom, but their computers remain locked until the malware is removed.

Reveton is linked to the Citadel banking and botnet malware. Citadel is responsible for millions in fraudulent losses; it is updated frequently by its authors, who run it on an open source development model. The malware is sold as a service and also runs its own customer relationship management system, support teams and hosts discussion forums for its customers. It was recently updated to include a dynamic configuration aspect that allows its authors to inject into compromised browser sessions on the fly.

Ransomware, meanwhile, continues to be a profitable enterprise for cybercriminals. A recent Symantec study of 16 ransomware variants concluded that the scams netted their authors anywhere up to $33,000 a day within a month-long period of time.

More than 68,000 unique IP addresses connected to the Ransomlock Trojan command and control infrastructure starting in September and almost 3 percent of visitors were paying their ransom.

Suggested articles