Cyberattacks August 2012 – Java Zero-Day Exploited in the Wild
This new vulnerability exploitation consists of two phases. The first phase will download a malicious Java applet from ok[.]aa24[.]net with IP address 220.127.116.11, which currently resolving to an IP address in Taiwan. Once the first exploitation is successful, it will download and execute a dropper on the infected host. The dropper appears to be poison Ivy RAT variant, which likely to be detected by many antivirus vendors. The dropper will then call to a C&C server, with domain hello[.]icon[.]pk. Currently, this domain is resolving to an IP address 18.104.22.168 located in Singapore.
Sources from Internet indicated that the exploitation seems to work on Internet Explorer, Firefox and Google Chrome, and it affects Java 7 (1.7) Update 0 to 6. Metasploit later integrated this exploit into its framework, and it was told that the attack is successful against a fully patched Windows 7 SP1 with Java 7 Update 6. Another additional landing page “62[.]152[.]104[.]149/public/meeting/applet[.]jar” which is serving Java Zero-Day Exploit (CVE-2012-4681).
Disable Java plugin from your browser or uninstall it from your computer completely.
Block 22.214.171.124 – ok[.]aa24[.]net and 126.96.36.199 – hello[.]icon[.]pk.
*However attackers are not limited to the current domains and IP addresses.