Analysis and data by Brooks Li (Threats Analyst) and Feike Hacquebord (Senior Threat Researcher)

Zero-day exploits continued to be used in targeted attacks because they are effective, given that software vendors have yet to create patches for them. Throughout our on-going investigation and monitoring of a targeted attack campaign, Operation Pawn Storm, we found suspicious URLs that hosted a newly discovered zero-day exploit in Java. This is the first time in nearly two years that a new Java zero-day vulnerability was reported.

Note that this zero-day exploit is NOT part of the recent slew of vulnerabilities related to the Hacking Team leak. The group behind Operation Pawn Storm is using the Java zero-day exploit as part of their campaign.

The said URLs hosting the new Java zero-day exploit are similar to the URLs seen in the attack launched by the threat actors behind Pawn Storm that targeted North Atlantic Treaty Organization (NATO) members and White House last April 2015. However, at that time, these URLs were not hosting the said exploit yet. Pawn Storm also targeted other nation-state organizations using political events and meetings such as the Asia-Pacific Economic Cooperation (APEC) Forum and the Middle East Homeland Security Summit 2014 as part of its social engineering tactics. Media and defense industries were other entities targeted by this APT campaign apart from military and government.

We are able to detect this zero-day exploit through feedback from the Trend Micro™ Smart Protection Network™. Email messages targeting a certain armed forces of a NATO country and a US defense organization contained these malicious URLs where this Java exploit is hosted. Currently, this vulnerability is still not patched by Oracle. Based on our investigation, the latest Java version 1.8.0.45 is affected. Older versions, Java 1.6 and 1.7 are not affected by this zero-day exploit. We already notified Oracle and we’re collaborating with their security team regarding this threat. We will update this blog entry as new information about this threat is found. Note that this entry serves as a warning for a possible zero-day attack.

Once successfully exploited, it executes arbitrary code on the default Java settings thus compromising the security of the system. Trend Micro detects the exploit code as JAVA_DLOADR.EFD. The file which Trend Micro detects as TROJ_DROPPR.CXC drops the payload, TSPY_FAKEMS.C to the login user folder.

Trend Micro is already able to protect users against this threat without any necessary updates. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior. The Browser Exploit Prevention feature in the Endpoint Security in Trend Micro™ Smart Protection Suite detects the exploit once the user accesses the URL that hosted it. Our Browser Exploit Prevention detects user systems against exploits targeting browsers or related plugins.

Vulnerability protection in Trend Micro Deep Security protects user systems from threats that may leverage this vulnerability with the following DPI rule:

1006857 – Oracle Java SE Remote Code Execution Vulnerability

We also recommend users to disable Java in browsers if installed due to an application. For more tips on how to minimize the risks of using Java, you can read our entry, How to Use Java-If You Must.

Other related posts to Operation Pawn Storm can be found here:

With Additional analysis by Peter Pi, Jack Tang and Weimin Wu.

Update as of July 12, 2015, 6:39 PM PDT (UTC-7)

We update to clarify a technical detail about the targets and to add Trend Micro Deep Security solution.

Below are the SHA1 hashes related to this threat:

b4a515ef9de037f18d96b9b0e48271180f5725b7

21835aafe6d46840bb697e8b0d4aac06dec44f5b

Update as of July 14, 2015 7:40 PM PDT (UTC-7)

This vulnerability has been patched by Oracle as part of their July 2015 Critical Patch Update. We recommend that affected users update their Java software as soon as possible. It has also been assigned a CVE identifier, CVE-2015-2590.