” is for Java applets that are written with malicious intention to
Downloads other payloads and execute them without user consent. The applet malware exploits a Java Runtime Vulnerability as explained in exploit CVE-2012-0507.
The vulnerability is in the implementation of the AtomicReferenceArray class that allows type safety checks to be circumvented to bypass the Java sandbox will permit Java to download and execute malware. The Applet typically contains code that consumes a URL Name (also a part of the Applet) which hosts the malware.
The exploit first creates an error object which the vulnerable Java Script Engine cannot handle, and then it executes a script that disables the Java Security Manager using the "toString" method. It then throws an Exception and proceeds further and calls with the malicious class file to execute the arbitrary code.
In the wild, it can be found as a Java archive. The malicious HTML passes the encrypted URL of the file to download and execute as the parameter x to the applet.
The malicious HTML passes the encrypted URL of the file to download and execute as the parameter x to the applet.
The JAR file contains class files in the vmcsvpjjhjwaeckbklw package which triggers the Vulnerability
- bhppjvkrghmblnwr.class (Vulnerability triggering class file)
- hknhpfcmfnrgjewstwmvjb.class (Class Loader)
- cktewjlmbdmd.class(Disable Java Security Manager)
- huwvqvenwr.class(Payload downloader) (Detected as Downloader-BCS!v)
- acqalhmf.class (Applet class)
Upon execution, the Trojan attempts to affects the vulnerability in Java Runtime Environment (JRE).
The arbitrary file is a URL is to create a java.net.URL object, then call its openStream() method. The method handles the details of creating the connection, issuing an HTTP GET request, and retrieving the response data.