Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

‘g01pack’ Exploit Kit Now Delivers Payload Via Multi-stage Attack

A new version of the Java exploit kit g01pack has added a second stage to the exploit process in order to bypass detection by antivirus tools, Trusteer’s researchers said. The kit has an infection rate estimated at about 1 out of 3,000 machines a month.

A new version of the Java exploit kit g01pack has added a second stage to the exploit process in order to bypass detection by antivirus tools, Trusteer’s researchers said. The kit has an infection rate estimated at about 1 out of 3,000 machines a month.

In the first stage, g01pack’s exploit shellcode executes a second stage, in which a Java class runs in a separate Java process, Trusteer found. This second Java process downloads and runs the final payload. Trusteer identified several malware families being delivered as the final payload, including Zeus, Torpig, Gozi, Shylock, and several others.

“‘g01pack’ is among the most successful exploit kits available today,” according to Amit Klein, CTO of Trusteer. The kit executes a “drive-by download” attack on victim computers to silently install malware, he said.

Having multiple parts allow cyber-criminals to make sure that the exploit kit is as generic as possible to bypass as many security products as possible. The initial Java process launches another Java process, which appears less suspicious. It’s only the last process that downloads the malicious payload.

Once past the antivirus tool, the malware can deliver all possible payloads, Klein said. The malware assembles the download path using keywords randomly selected from a list and random numbers. The Java code in both stages is “heavily obfuscated,” as the developers applied four different methods, Klein said.

The Java vulnerability (CVE-2012-1723), if exploited successfully, allows the malicious code to break out of the Java sandbox. Oracle patched the flaw in the Java Runtime Environment 6 and 7 in June last year as part of its scheduled quarterly update. This particular exploit requires a Windows platform and a JRE version earlier than 1.7 (not running Java 7 at all).

“Apparently there are still enough unpatched Java 6 installations to make it a valuable target for exploit kit writers,” Klein said.

This particularly variant was detected only by eight tools out of 46 on VirusTotal, and only two identified the second stage as malicious, according to Trusteer. This is the first time Trusteer researchers have ever seen an exploit delivering its payload via a multi-stage attack, Klein said. Many drive-by-exploits follow a two-stage pattern, where the first stage launches the initial malware infection and the second stage delivers the actual payload to inflict damage, according to Trusteer.

Advertisement. Scroll to continue reading.

“Using the multi-staged attack, the ‘g01pack’ exploit kit can effectively distribute advanced malware evading detection by existing security controls,” Klein said.

Some of the implementation details are similar to the exploit used by BlackHole for the same vulnerability, Trusteer found. However, Blackhole had a two-stage exploit-payload mechanism instead of being multi-stage. Considering how effective the multi-stage approach is, “it is highly likely that other exploit kits will incorporate a similar approach,” said Klein said.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.