Security researchers around the globe has noticed attackers deploying exploit for Java in their attacks. The vulnerability affects Java 7 (1.7) Update 0 to 6. It does not affect Java 6 and below. Initially, security researchers had stated that the exploit code worked against all versions of Internet Explorer, Firefox and Opera, but did not work against Google Chrome. But according to Rapid 7, there is a Metasploit module in development that successfully deploys this exploit against Chrome (on at least Windows XP).The news came into light when FireEye researcher poste about a zero day in Java noticed during an analysis.
Further analysis randomly collected showed how the exploit crafted into malware was helping attackers stealthy gain access using the zero day. According to one of the analysis, the initial exploit is hosted on a domain named ok.XXX4.net. A successful exploit attempt can result in a dropper (Dropper.MsPMs) getting installed on infected systems. The dropper executable is located on the same server. http://ok.XXX4.net/meeting/hi.exe .Dropper.MsPMs further talks to its own CnC domain hello.icon.pk which is currently resolving to an IP address 188.8.131.52 located in Singapore is what the analysis points. hi.exe carries malicious dlls with it.The porting of this exploit to metasploit is bit cautious. But its deployment in exploit packs like BlackHole etc can be quite fatal. Stay tuned with us to get more updates!