Less than 15 days after the release of Oracle Java CPU Special Update of 19 February, another Java 0day is reported exploited in the wild !
FireEye has report, in a blog post, the discovery of a new Oracle Java 0day targeting latest versions JSE 6 Update 41 and JSE 7 Update 15.
After successful exploitation of the newly discovered vulnerability, CVE-2013-1493, “svchost.jpg” (b6c8ede9e2153f2a1e650dfa05b59b99) file is loaded from the same server hosting the Java 0day. Then McRAT (aka Trojan.Naid) malware (4d519bf53a8217adc4c15d15f0815993) is dropped. Regarding the detection ratio of this malware (21/46), it seem that the Java 0day could be used in Exploit Pack.
- VirusTotal analysis of dropped McRAT.
- Malwr analysis of dropped McRAT.
- Anubis analysis of dropped McRAT.
Symantec has report some connections through the new Oracle Java 0day with the Bit9 security incident. In the actual Java 0day security incident case, “appmgmt.dll” file, dropped by “svchost.jpg“, is detected by Symantec as Trojan.Naid. Trojan.Naid sample is connecting 126.96.36.199 C&C server. In the Bit9 security incident case, Trojan.Naid was also present and also connecting to 188.8.131.52 C&C server. Symantec detect this Java 0day as “Trojan.Maljava.B” and regarding associated threat assessment, less than 49 computers were infected and less than 2 websites were used in the watering hole attack.
Some security researchers are actually studying the sample, it is question of days before this 0day will be widely exploited.
We advise you to deactivate Java plug-in execution asap.
Samples are appearing on VirusTotal like “svchost.jar” (a721ca9b2ea1c362bd704b57d4d5a280) with an actual detection ratio of 17/46.