Symantec recently received information on a new Java zero-day, Oracle Java Runtime Environment CVE-2013-1493 Remote Code Execution Vulnerability (CVE-2013-1493). The final payload in the attack consisted of a DLL file, detected by Symantec as Trojan.Naid, which connects to a command-and-control (C&C) server at 126.96.36.199.
Interestingly, a Trojan.Naid sample was also signed by the compromised Bit9 certificate discussed in the Bit9 security incident update and used in an attack on another party. This sample also used the backchannel communication server IP address 188.8.131.52.
The Trojan.Naid attackers have been extremely persistent and have shown their sophistication in multiple attacks. Their primary motivation has been industrial espionage on a variety of industry sectors. The attackers have employed multiple zero-days. In one example from 2012, Symantec reported on the Trojan.Naid attackers conducting a watering hole attack with a different zero-day, Microsoft Internet Explorer Same ID Property Remote Code Execution Vulnerability (CVE-2012-1875).
Figure 1. Anatomy of latest Java zero-day attack
As seen in figure 1, the initial stage of the attack involves a target visiting a compromised site that hosts a malicious JAR file, detected by Symantec as Trojan.Maljava.B. The JAR file contains the exploit CVE-2013-1493 which, if successful, downloads a file called svchost.jpg that is actually an MZ executable, detected by Symantec as Trojan.Dropper. This executable then acts as a loader for the dropped appmgmt.dll file, detected as Trojan.Naid. An intrusion prevention (IPS) update due to be released later today will contain the following detection for the malicious JAR file.
Symantec is currently investigating further protections for this zero-day and will provide an update to this blog when possible. To protect against potential zero-day threats, Symantec recommends that you use the latest STAR Malware Protection Technologies to ensure the best possible protection is in place.
This new Java zero-day attack has also been highlighted in a blog by FireEye.