View All Cybercrime

Phoenix Exploit Kit (2.7) continues to be updated

By Daniel Chechik  •  June 4th, 2011  •   Cybercrime

A few weeks ago, the Phoenix Exploit Kit 2.5 source code was leaked. At the time, it was not really useable, as it required activating by the author of the exploit kit. It contains an activation page that is being used to load all the exploits to the server for every specific customer. As expected, the author of the exploit kit released a new version of the tool, version 2.7.

Phoenix Exploit’s Kit 2.7 logo

Phoenix Exploit’s Kit 2.7 logo

The changes between the two versions are minor, but still very important as most exploits become inefficient in the very short term, especially with the latest IE vulnerabilities.


The new pack 2.7 contains the following updates:

  • JAVA exploit added – Java for Business JRE Trusted Method Chaining Remote Code Execution Vulnerability – CVE-2010-0840
  • Old exploits were removed, the exploit kit currently contains the following exploits:
  • The obfuscation technique has been changed.
New exploit added

New exploit added

De-compiled class “stomp” – klcteugviqyvfu.jar

De-obfuscation sections from the de-compiled JAR file

De-obfuscation code section from the de-compiled JAR file

The HTML web page loads a malicious JAR file, as described in the screenshot above. The obfuscated code generates a link to the payload using a parameter that is sent from the previous HTML web page.

De-obfuscation code section from the de-compiled JAR file

De-obfuscation code section from the de-compiled JAR file

 

The screenshot above describes part of the code that is being used to exploit the victim’s machine and execute the payload in higher privilege.

The control panel looks exactly like the older versions:

Phoenix Exploit Kit advanced statistics

Phoenix Exploit Kit advanced statistics

Phoenix exploit kit simple statistics
Phoenix exploit kit simple statistics

Once again, we find that cybercriminals use JAVA and PDF exploits, as they have become the most efficient and reliable attack vector.

Tags:    |    |    |  

Comments are closed.