Despite the prevalence of Web based client-side exploitation tools as the cybercrime ecosystem’s primary infection vector, in a series of blog posts, we’ve been emphasizing on the emergence of managed/hosted/DIY malicious Java applet generating tools/platforms, highlighting the existence of a growing market segment relying on ‘visual social engineering’ vectors for the purpose of tricking end users into executing malicious/rogue/fake Java applets, ultimately joining a cybercriminal’s botnet.
We’ve recently spotted yet another Web based Java drive-by generating tool, and decided to take a peek inside the malicious infrastructure supporting it.
Sample screenshot of the malicious Web-based Java drive-by generating tool:
Among the tool’s key differentiation features is the ability to generate undetected applets, make identical copies of legitimate Web sites for the purpose of socially engineering end users into thinking that they’re legitimate ones, as well as the option to host a potential cybercriminal’s campaign within the vendor’s own malicious bulletproof hosting infrastructure.
Known to have been downloaded from the same IP (184.108.40.206) as the original hosting location is also the following malicious MD5: 1d03779cc7325c7b299fb2302210ec59 – detected by 41 out of 50 antivirus scanners as Trojan.Win32.Inject.fzhy.
Related malicious MD5s known to have phoned back to the last known IP (220.127.116.11), responding to the original hosting location:
Once executed MD5: 96101e4c8ed7d1e909f6584e91ac468d phones back to the following C&C servers:
Known to have phoned back to the same C&C server (18.104.22.168) are also the following malicious MD5s:
We’ll continue monitoring the development of the market segment, and post updates as soon as new developments take place.
Webroot SecureAnywhere users are proactively protected from these threats.