14 DAY TRIAL // A few hours ago, Oracle released its April 2013 CPU to patch over 40 Java vulnerabilities. However, it’s likely that many users will fail to update to the latest variant, giving cybercriminals an easy access door to their computers.
A perfect example is a campaign that leverages the recent Boston Marathon bombings in an effort to distribute malware.
According to experts from security firm Avira, it all starts with emails entitled something like “Boston Explosion Caught on Video” or “Explosion at Boston Marathon.”
The emails contain links that point to files called “boston.html” or “news.html,” which are hosted on compromised websites. These websites are designed to drop a .JAR file which probes the infected system for vulnerable Java installation.
“The JAR files uses a vulnerability in Java to download and then execute an executable file. So, this part of the attack affects also Macs,” Avira’s Sorin Mustaca told Softpedia in an email.
“The second step of the attack consists in the execution of the downloaded file. This file is a Windows PE executable, thus is affecting only the Windows world,” he explained.
The downloaded file, identified by Avira as TR/Crypt.ZPACK.Gen, and the URL it’s downloaded from are randomly generated for each victim.
It’s worth noting that there are several variants of this campaign currently making the rounds. Kaspersky, Conrad Longmore of Dynamoo’s Blog, and Trend Micro have all analyzed the emails and in each case, there have been some differences.
The variants analyzed by Kaspersky lured users to pages that displayed YouTube videos and directly pushed malicious .exe files.
“We have never seen in the cases we analyzed any EXE file offered as download. In all cases there was the JAR file which triggered the download and execution of the malicious payload. So, we can say for sure that this is a different way of spreading the malware,” Mustaca added.
In addition to this attack, Avira says it has identified Facebook posts related to the Boston incident that contain links to various malicious websites.
“Currently the posts are being gathered and correlated with the other data we have from the emails,” the security expert noted.