JV/Exploit-Blacole.q is a detection for malicious Java code that exploits CVE2012-1723.
"Exploit-CVE2012-1723" is the detection for a malicious Java class files stored within a Java archive (.JAR) , which attempts to exploit a vulnerability in the Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
This exploit may be encountered when visiting a compromised webpage that contains the malicious code.
The code is created by an attacker using the "Blackhole" Exploit Kit and inserted into a compromised webpage.
When the page is visited by a user running vulnerable versions of Java, the malicious Java class runs and allows the execution of arbitrary code.
The vulnerability exists due to type confusion between a static variable and an instance variable. A static variable is common in a class, whereas an instance variable is only valid in an instantiated class.
The malicious Java package may contain the following malicious Java class files:
Upon successful exploitation tries to connect download other payload through remote port 5152 and listen to a Random port
Upon successful exploitation it creates the following file in the below location in order to execute the payload
- %temp%\V.class [Detected as Exploit-CVE2012-1723]