“Exploit-CVE2012-4681” is the detection for obfuscated Java applet Trojan that exploits the vulnerability described in CVE2012-4681.
This vulnerability is triggered by abusing restricted package permissions, due to a class[com.sun.beans.finder.ClassFinder] which makes it possible for un-trusted code to get access to classes which are part of restricted packages.
The following steps are involved to exploit the vulnerability:
1. First, the class file "com.sun.beans.finder.ClassFinder" is used to get access of the other package "sun.awt.SunToolkit" whereas, by default all the sun.* packages are restricted package.
2. Once after getting the reference to the "sun.awt.SunToolkit" class, they invoke the "getField" method which is used to get the access to private fields.
3. After gaining permission for a restricted package, they disable the Java Security Manager.
4. Then, it checks for the Installed Operating System and check if the system is vulnerable or not. If yes, the malware payload is downloaded and executed.
The exploit package usually comes in as class files, where one of class file is used to exploit the vulnerability and the other to download and execute the malicious payload.
Malicious Package contain the following classes
• nrenerb.class [Class contain Applet to load the malicious script]
• nrenerd.class [ Class has the URL to download]
• nrenere.class[ Exploit triggering class file]
• nrenerf.class[ Class has the obfuscated script]
The following code is responsible to get the reference of the restricted "sun.awt.SunToolkit" class and use this reference to call the "getField" method:
The following Code is used to disable Security Manager
Once the Security Manager is disabled, the applet can run any code in a browser as because it has no security check enabled. The exploit then downloads malicious payloads from the remote site and execute it in the compromised user system.