Like other Exploit Kits, Gong Da has add support for Oracle Java CVE-2013-1493 vulnerability, fixed in Oracle Java 6 Update 17, has also add support for Microsoft Internet Explorer CVE-2012-4969 and CVE-2012-4792 vulnerabilities, fixed in an emergency patch in September 2012 and January 2013.
Here is the new code for CVE-2013-1493.
And here the new code for CVE-2012-4792 (aka 4792.html) and CVE-2012-4969 (aka payload.html).
Also a new variant of CVE-2012-1889 (xml.html) has been introduced, reducing the detection rate by anti-viruses.
As always this new version of Gong Da Exploit Kit has been discovered on a Korean web site.
Gong Da Pack has involve to the following diagram.
Here under some information s regarding the different files:
- HcIa2.jar (aka CVE-2011-3544): 11/46 on VirusTotal.com
- bzExj6.jar (aka CVE-2012-0507): 14/45 on VirusTotal.com
- BnkLbvY3.jar (aka CVE-2012-1723): 19/46 on VirusTotal.com
- iCNpns4.jar (aka CVE-2012-4681): 28/46 on VirusTotal.com
- JdtDFRW1.jar (aka CVE-2012-5076): 16/46 on VirusTotal.com
- TolxrJG6.jar (aka CVE-2013-0422): 19/46 on VirusTotal.com
- FQxzUjYP.jar (aka CVE-2013-1493): 16/46 on VirusTotal.com
- GwDFO7.swf (aka CVE-2013-0634): 10/46 on VirusTotal.com
- xmlcoreOld.html (aka CVE-2012-1889): 18/46 on VirusTotal.com
- xml.html (aka CVE-2012-1889): 3/35 on VirusTotal.com
- xmlcoreNew.html (aka CVE-2012-1889): 10/45 on VirusTotal.com
- 4792.html (aka CVE-2012-4792): 1/46 on VirusTotal.com
- xyaKEg.html and payload.html (aka CVE-2012-4969): 5/46 on VirusTotal.com
Normally Gong Da was used against gamers, but this time the loaded malware seem to be different (analysis on ThreatExpert)