‘g01pack’ Exploit Kit Now Delivers Payload Via Multi-stage Attack

A new version of the Java exploit kit g01pack has added a second stage to the exploit process in order to bypass detection by antivirus tools, Trusteer’s researchers said. The kit has an infection rate estimated at about 1 out of 3,000 machines a month.

In the first stage, g01pack’s exploit shellcode executes a second stage, in which a Java class runs in a separate Java process, Trusteer found. This second Java process downloads and runs the final payload. Trusteer identified several malware families being delivered as the final payload, including Zeus, Torpig, Gozi, Shylock, and several others.

“‘g01pack’ is among the most successful exploit kits available today,” according to Amit Klein, CTO of Trusteer. The kit executes a “drive-by download” attack on victim computers to silently install malware, he said.

Having multiple parts allow cyber-criminals to make sure that the exploit kit is as generic as possible to bypass as many security products as possible. The initial Java process launches another Java process, which appears less suspicious. It’s only the last process that downloads the malicious payload.

Once past the antivirus tool, the malware can deliver all possible payloads, Klein said. The malware assembles the download path using keywords randomly selected from a list and random numbers. The Java code in both stages is “heavily obfuscated,” as the developers applied four different methods, Klein said.

The Java vulnerability (CVE-2012-1723), if exploited successfully, allows the malicious code to break out of the Java sandbox. Oracle patched the flaw in the Java Runtime Environment 6 and 7 in June last year as part of its scheduled quarterly update. This particular exploit requires a Windows platform and a JRE version earlier than 1.7 (not running Java 7 at all).

“Apparently there are still enough unpatched Java 6 installations to make it a valuable target for exploit kit writers,” Klein said.

This particularly variant was detected only by eight tools out of 46 on VirusTotal, and only two identified the second stage as malicious, according to Trusteer. This is the first time Trusteer researchers have ever seen an exploit delivering its payload via a multi-stage attack, Klein said. Many drive-by-exploits follow a two-stage pattern, where the first stage launches the initial malware infection and the second stage delivers the actual payload to inflict damage, according to Trusteer.

“Using the multi-staged attack, the ‘g01pack’ exploit kit can effectively distribute advanced malware evading detection by existing security controls,” Klein said.

Some of the implementation details are similar to the exploit used by BlackHole for the same vulnerability, Trusteer found. However, Blackhole had a two-stage exploit-payload mechanism instead of being multi-stage. Considering how effective the multi-stage approach is, “it is highly likely that other exploit kits will incorporate a similar approach,” said Klein said.