Following our recent blog posts regarding the propagation of
Java vulnerability CVE-2012-4681 (New
Java 0-day used in small number of attacks) and its subsequent inclusion in
the infamous Blackhole Exploit Kit (New
Java 0-day added to Blackhole Exploit Kit), the Websense®
ThreatSeeker® Network has detected a new malicious email campaign purporting to
be an order verification email from Amazon directing victims to a page
containing the recent Java exploit.
If successful, this exploit could allow the cyber-criminals
behind this campaign to deliver further malicious payloads to the victim’s
machine which, for example, could lead to the exfiltration of personal and
Oracle have released an out-of-band patch for this Java
release Java 1.7.0_07 to fix CVE-2012-4681) and Websense customers are
protected from this and other threats by ACE™, our Advanced Classification
On 1st September, Websense® ThreatSeeker® Network
intercepted over 10,000 malicious emails with the subject ‘You Order With
Amazon.com’ enticing the recipient to ‘click here’ to verify a fictitious order as shown in this sample:
Once the victim has clicked the link, they are redirected to
an obfuscated page hosting the Blackhole
Exploit Kit – in this case, hxxp://atjoviygdm.dnset.com/main.php?page=8e2cf5bb67d777a4
. The Payload view below highlights the Java Archive ‘Leh.jar’ which is
then used to exploit CVE-2012-4681
should the victim’s machine be vulnerable, an analysis of this file can also be
found on VirusTotal.
machine, such as determining the browser type and version as well as the Adobe
Flash, Adobe Reader and Java versions, and then based
on this information selects the
‘best’ exploit to use against this particular victim.
This email campaign further illustrates the ingenuity and
speed at which cyber-criminals package and propagate malicious content along
with social-engineering techniques in order to exploit both recent software
vulnerabilities and the trusting nature of end-users.