• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Exploits   »   Blackhole Exploit Kit Run Adopts Controversial Java Flaw

Blackhole Exploit Kit Run Adopts Controversial Java Flaw

  • Posted on:March 1, 2013 at 7:42 am
  • Posted in:Exploits, Spam, Vulnerabilities
  • Author:
    Romeo Dela Cruz (Threat Response Engineer)
2

In our 2013 Security Predictions, we predicted that conventional malware will focus mainly on refining tools instead of creating new threats. A perfect example of this prediction is how Blackhole Exploit Kit continuously attempts to circumvent the efforts done by the security industry. True enough, we recently received reports of a Blackhole Exploit Kit (BHEK) run that incorporated an exploit (detected by Trend Micro as JAVA_ARCAL.A) targeting the recently patched CVE-2013-0431.

If users can still recall, this vulnerability is part of the Java zero-day ruckus last January. This slew of critical incidents led Oracle to release an out-of-band security update to quickly address the issue. However, this release raised some crucial questions.

This particular BHEK run starts with spammed messages spoofing PayPal. When users click the item number indicated in these messages, they are led to several redirecting sites until they arrive at the page hosting the encrypted BHEK code. This code then checks the vulnerable system for versions of Adobe Reader, Flash Player, and Java. This determines which exploit (and subsequent payload) are downloaded onto the system.

Spam-sample-BHEK-fakepaypal

Figure 1. Sample spoofed PayPal email message

In the testing we did, the BHEK code found certain versions of Adobe Reader, which prompted it to download and execute a malicious .PDF file (detected as TROJ_PIDIEF.MEX), which exploits an old vulnerability in CVE-2010-0188.

This BHEK code also downloads and executes JAVA_ARCAL.A from a specific page after checking the Java version of the infected system. JAVA_ARCAL.A then downloads and executes TSPY_FAREIT.MEX by using command.exe in the PATH %user% in a specific URL. This routine opens another page. Based on our analysis, TSPY_FAREIT.MEX attempts to steal information stored in web browsers like Google Chrome, Mozilla Firefox and Internet Explorer. At the end of the infection chain, this BHEK code will access the malicious page below to lead users into thinking that they’re just redirected to a seemingly non-malicious website.

malicious-page-BHEK-run

Figure 2. Final landing page of the infection chain

Using Trend Micro Smart Protection Network™ data, we looked into the most affected countries by this BHEK run and got some interesting results. The most affected country is the United States, followed by Mexico. This is quite surprising, as Mexico did not generate significant infection counts in the past BHEK runs. Other countries most affected by this wave of BHEK include Germany, Latvia, Japan, Australia, United Kingdom, France, Spain and Italy.

With several components involved in this threat, BHEK spam runs can overwhelm any user. Fortunately, Trend Micro Smart Protection Network protects users from the related spam, URL, and malware.

The entry of CVE-2013-0431 into the BHEK narrative proves that this threat won’t be fading anytime soon. To better protect themselves from this threat, users must regularly keep their systems and software up-to-date.

For the spam component of this threat, it is also crucial for users and security administrators alike to realize that the usual spam and phishing best practices are not effective to address BHEK spam runs. We previously released our report Blackhole Exploit Kit: A Spam Campaign, Not a Series of Individual Spam Runs, which goes into details about our finding regarding the BHEK runs.

Users can visit the following blog posts for security tips on how to safely use PDF files and Java:

  • How to Use Java – If You Must
  • How To Use PDF Files More Safely
  • Disable Java not Bob’s Java Jive (or JavaScript)


Hat tip to Max-Emanuel Maurer for initially reporting this incident.

With additional analysis from Threat response engineer Rhena Inocencio.

Related posts:

  • Detecting Attacks that Exploit Meltdown and Spectre with Performance Counters
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: blackhole exploit kitjava zero-day

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • February Patch Tuesday: Batch Includes 77 Updates That Cover Flaws in Internet Explorer, Exchange Server, and DHCP Server
  • Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
  • Windows App Runs on Mac, Downloads Info Stealer and Adware
  • Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners
  • Various Google Play ‘Beauty Camera’ Apps Send Users Pornographic Content, Redirect Them to Phishing Websites and Collect Their Pictures

Popular Posts

  • Going In-depth with Emotet: Multilayer Operating Mechanisms
  • February Patch Tuesday: Batch Includes 77 Updates That Cover Flaws in Internet Explorer, Exchange Server, and DHCP Server
  • Various Google Play ‘Beauty Camera’ Apps Send Users Pornographic Content, Redirect Them to Phishing Websites and Collect Their Pictures
  • Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners
  • Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.