Researchers say that one of the attack groups using the two new Java zero-day vulnerabilities is the same group that was behind an earlier targeted attack campaign from 2011. That group was traced back to China and was essentially running a spear-phishing campaign, but now the crew, known as Nitro, is using the Java vulnerabilities in Web-based attacks that install the Poison Ivy remote-access tool.
The attacks have been going on for more than a week, researchers say, and the Nitro group apparently is reusing both their command-and-control servers and some of the file names for the malicious executables. There are two separate domains serving the Java exploit right now, and the two main executable files the attacks are using are named “Flash_update.exe” and “hi.exe”.
“In these latest attacks, the attackers have developed a somewhat more sophisticated technique. They are using a Java zero-day, hosted as a .jar file on websites, to infect victims. As in the previous documented attacks, the attackers are using Backdoor.Darkmoon [another name for Poison Ivy], re-using command-and-control infrastructure, and even re-using file names such as “Flash_update.exe”. It is likely that the attackers are sending targeted users emails containing a link to the malicious jar file. The Nitro attackers appear to be continuing with their previous campaign,” researchers at Symantec said in an analysis of the attacks.
The original attacks run by this crew targeted a number of companies in the chemical sector, as well as some defense contractors. Those attacks used the kind of spear phishing emails that often are employed in targeted attacks and also installed a copy of Poison Ivy on compromised machines. Poison Ivy is widely used by attackers and gives them remote access to infected PCs and the ability to steal data and monitor users’ actions.
The attacks attributed to Nitro in the fall of 2011 targeted companies from a number of different countries around the world, but focused on organizations in the United States, Bangladesh and U.K. for the most part. The current spate of attacks using the Java CVE-2012-4681 vulnerability are hitting users around the world.
Following the original attacks traced to Nitro last year, Symantec published a detailed analysis of the attacks and characteristics of the crew behind them. One thing they found was that the attackers were using different email subjects and texts to appeal to different targets, depending upon the target’s job and location. They also discovered that one of the members of the attack crew was a young hacker they dubbed Covert Grove, who didn’t seem to have much in the way of experience.
“He attended a vocational school for a short period of time specializing in network security and has limited work experience, most recently maintaining multiple network domains of the vocational school,” the report says.
“Further, when prompted regarding hacking skills, Covert Grove immediately provided a contact that would perform ‘hacking for hire’. Whether this contact is merely an alias or a different individual has not been determined.”
The attackers using the new Java bugs are using IP addresses and other details that were taken directly from the earlier Nitro attacks.
“One sample of malware downloaded by the exploit has been identified as 4a55bf1448262bf71707eef7fc168f7d – ‘hi.exe’ or ‘Flash_update.exe’,” Symantec’s analysis said. “This particular sample connects to hello.icon.pk, which resolves to 126.96.36.199. That same IP was used by the Nitro attackers back in 2011.”
The use of the new Java vulnerabilities isn’t restricted to the Nitro crew, however. The creator of the BlackHole exploit kit has added an exploit for it, as well, and that kit is used by a wide range of attackers.