The security community has been focused on the new Java zero-day exploits that appear to have been taken from a Chinese exploit pack (known as Gondad or KaiXin) used in targeted attacks by the “Nitro” cyber-espionage campaign and then incorporated into criminal operations using the BlackHole Exploit Kit. While the connections between these developments are starting to emerge, it is important to remember that campaigns, such as Nitro, don’t “come back” because they don’t go away. The Nitro attackers continued to be active after their activities were documented in 2011.
In fact, before they acquired this Java exploit, the Nitro attackers were continuing to send out emails to their targets with direct links to Poison Ivy executables in early August 2012 (On a related note, another email was spotted in April 2012).
The file Flashfxp.exe was hosted on one of the same servers that hosted the Java zero-day and Poison Ivy payload, and it connects to ok.{BLOCKED}n.pk which resolves to the same IP address, {BLOCKED}.{BLOCKED}..233.244. This is the same address as hello.{BLOCKED}n.pk, the domain used as the command and control server for the Poison Ivy payload dropped by the Java zero-day.
Despite having at least two staging servers hosting the malicious files for the Java zero-day exploit (and at least three staging servers hosting executables), all the Poison Ivy payloads connect to domains that resolve to the same IP address. Numerous domain names used as Poison Ivy controllers related to the Nitro campaign also resolve to that IP address. While there was some initial skepticism regarding whether or not this Java exploit was used in targeted attacks, there appears to be increasing evidence that it was used by the “Nitro” attackers.
Trend Micro products detect and remove the exploits and Poison Ivy payload. Deep Discovery™ also detects and blocks communication done by the Poison Ivy payload.
Update as of August 31, 6:30 PM PDT
Oracle has released an out-of-bound patch for Java which patches this zero-day exploit. The update increments the version number to Version 7 Update 7 for users on the latest JRE version; users still using Java 6 are also receiving an update that will increment their version to Version 6 Update 35. Users should immediately update their systems to protect against this threat.
Update as of September 4, 11:10 AM PDT
Trend Micro Deep Security users should apply the rule 1005178 – Java Applet Remote Code Execution Vulnerability – 2 to protect from threats seen exploiting this Java vulnerability.
Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog
