" is the detection for a malicious Java class files stored within a Java archive (.JAR) , which attempts to exploit a vulnerability in the Java Runtime Environment (JRE) which includes version 7 update 7 and earlier.
Java Applet vulnerabilities, attacker can gain access to the local file system by exploiting CVE-2012-5076 vulnerability and bypassing Security Manager.
Unsigned Java applets run inside a sandbox environment which strictly restricts the applet’s access to system resources like file and process operations. However, when some dangerous packages are exposed to untrusted code, the malicious code can access packages that can be abused to create the user’s own class on the fly with escalated privileges.
From the below code confirms that the malware used util. GenericConstructor class and ManagedObjectManagerFactory class to attack the Java security model. Class util. GenericConstructor is used to create an object from a restricted class (sun.invoke.anon.AnonymousClassLoader) and ManagedObjectManagerFactory’s getMethod method is used to retrieve the method object of “loadClass” from sun.invoke.anon.AnonymousClassLoader class. sun.invoke.anon.AnonymousClassLoader has the ability to load a class and on go it provided byte stream.
Upon the visit of the malicious page, the web browser downloads .jar file and executes it in JVM. If it was just a normal Applet, Security Manager would block its execution; however, the exploit code disables Security Manager, and therefore the code can be executed even on the local system.