Connect with us

Hi, what are you looking for?



Gong Da Exploit Kit Boosts Java Attack Power With Latest Exploits

The latest Java vulnerability has been integrated into both Black Hole and Gong Da exploit kits, making it easier for cyber-criminals to launch attacks exploiting the flaw, a security researcher said.

The latest Java vulnerability has been integrated into both Black Hole and Gong Da exploit kits, making it easier for cyber-criminals to launch attacks exploiting the flaw, a security researcher said.

JavaThe Gong Da exploit kit has been adding support for a number of Java vulnerabilities recently, and its latest iteration includes the remote code execution flaw in the Java Applet JAX Web services library, Eric Romang, a security researcher and founder of, wrote Sunday. The exploit, CVE-2012-5076, targets Java SE 7 Update 7 and earlier, and was patched by Oracle on Oct. 16 as part of Java SE 7 Update 9. However, Java 6 installations don’t have this vulnerability, regardless of whether the software is up-to-date or not, Jeong Wook (Matt) Oh, a researcher at Microsoft Malware Protection Center, wrote on the MMPC blog last week.

The Gong Da exploit kit also includes attacks for several other Java flaws, including CVE-2011-3544 (Oracle Java Rhino exploit), CVE-2012-4681 (the zero-day discovered in August), CVE-2012-0507, CVE-2012-1723, and CVE-2012-1889 (Microsoft XML Core Services). Gong Da has changed its list of targeted vulnerabilities recently. Previous versions supported Adobe Flash Player (CVE-2011-2140) and Windows Media (CVE-2012-0003) bugs, but these exploits don’t appear in the latest version of the toolkit anymore, Romang said.

“Recently, we have seen more and more Java malware and malware distributors using new vulnerabilities quicker than ever before,” Oh wrote.

Gong Da is the third exploit kit to integrate CVE-2012-5076 into its repertoire, following Cool Exploit Kit and Black Hole, Romang said.

Websites created using the Gong Da kit, which means “attack” in Chinese, chains several exploits together as part of its attack pattern. Most of the malware samples that actually exploit CVE-2012-5076 are bundled with other Java exploits to increase their attack coverage, Oh said. For example, attacks exploiting CVE-2012-5076 may be included in malware along with attacks for CVE-2012-1723, which can be used on both unpatched Java 6 and 7, Oh said.

Depending on the specific version of Java SE installed on the victim computer, Gong Da served up different .jpg image or .html files exploiting specific Java vulnerabilities, according to the control flow diagram on Romang’s post.

Romang came across the latest Gong Da exploit on a site whose domain was registered on Nov. 17. The index.html file on the site contains JavaScript obfuscated by the “JSXX VIP JS Obfuscator” tool and is difficult to detect, he said. Only eight out of 44 antivirus detectors on VirusTotal flagged the initial file as malicious, Romang said in his post three days ago. That number appears unchanged as of this writing.

Advertisement. Scroll to continue reading.

As for the JAX-WS flaw, existing malware abuses the “package access problem” in the Java Runtime Environment, Microsoft’s Oh wrote. Package access is important because if trusted code is exposed to the user, it can be abused to break the Java security model, Oh said. For example, untrusted Java applets should not be able to access Oracle packages, such as Glassfish’s gmbal.

“Packages usually contain critical operations that should not be performed from untrusted code like unsigned Java applets,” Oh said.

Unsigned Java applets run inside a sandbox environment which is designed to restrict access to system resources like file and process operations. Malicious code with access to packages can create the user’s own class on the fly with escalated privileges, Oh wrote.

“From what we have seen in the last few months, we expect to see more and more exploits abusing this vulnerability,” Oh said. “So, users should be prepared for this threat.”

UpdateChinese Gang Targeting Defense Firms With IE Zero-Day

UpdateCoordinated Cyber Attacks Hit Chemical and Defense Firms

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.