Connect with us

Hi, what are you looking for?


Malware & Threats

‘g01pack’ Exploit Kit Now Delivers Payload Via Multi-stage Attack

A new version of the Java exploit kit g01pack has added a second stage to the exploit process in order to bypass detection by antivirus tools, Trusteer’s researchers said. The kit has an infection rate estimated at about 1 out of 3,000 machines a month.

A new version of the Java exploit kit g01pack has added a second stage to the exploit process in order to bypass detection by antivirus tools, Trusteer’s researchers said. The kit has an infection rate estimated at about 1 out of 3,000 machines a month.

In the first stage, g01pack’s exploit shellcode executes a second stage, in which a Java class runs in a separate Java process, Trusteer found. This second Java process downloads and runs the final payload. Trusteer identified several malware families being delivered as the final payload, including Zeus, Torpig, Gozi, Shylock, and several others.

“‘g01pack’ is among the most successful exploit kits available today,” according to Amit Klein, CTO of Trusteer. The kit executes a “drive-by download” attack on victim computers to silently install malware, he said.

Having multiple parts allow cyber-criminals to make sure that the exploit kit is as generic as possible to bypass as many security products as possible. The initial Java process launches another Java process, which appears less suspicious. It’s only the last process that downloads the malicious payload.

Once past the antivirus tool, the malware can deliver all possible payloads, Klein said. The malware assembles the download path using keywords randomly selected from a list and random numbers. The Java code in both stages is “heavily obfuscated,” as the developers applied four different methods, Klein said.

The Java vulnerability (CVE-2012-1723), if exploited successfully, allows the malicious code to break out of the Java sandbox. Oracle patched the flaw in the Java Runtime Environment 6 and 7 in June last year as part of its scheduled quarterly update. This particular exploit requires a Windows platform and a JRE version earlier than 1.7 (not running Java 7 at all).

“Apparently there are still enough unpatched Java 6 installations to make it a valuable target for exploit kit writers,” Klein said.

Advertisement. Scroll to continue reading.

This particularly variant was detected only by eight tools out of 46 on VirusTotal, and only two identified the second stage as malicious, according to Trusteer. This is the first time Trusteer researchers have ever seen an exploit delivering its payload via a multi-stage attack, Klein said. Many drive-by-exploits follow a two-stage pattern, where the first stage launches the initial malware infection and the second stage delivers the actual payload to inflict damage, according to Trusteer.

“Using the multi-staged attack, the ‘g01pack’ exploit kit can effectively distribute advanced malware evading detection by existing security controls,” Klein said.

Some of the implementation details are similar to the exploit used by BlackHole for the same vulnerability, Trusteer found. However, Blackhole had a two-stage exploit-payload mechanism instead of being multi-stage. Considering how effective the multi-stage approach is, “it is highly likely that other exploit kits will incorporate a similar approach,” said Klein said.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...