CVE-2012-4792 Exploit Utilized in “Wateringhole” Style Attacks

Look for these strings in your proxy logs over the past few weeks. Infected hosts will likely begin C2ing to dynamic domains shortly after exploitation.

HTTP Request Method = GET
URI Strings:

*/xsainfo.jpg
*/today.swf
*/Grumgog.swf
*/DOITYOUR02.html
*/DOITYOUR01.txt
*/mt.html
*/javamt.html
*/AppletHigh.jar
*/AppletLow.jar
*/green.swf

Reference: http://eromang.zataz.com/2013/01/15/watering-hole-campaign-use-latest-java-and-ie-vulnerabilities/

Comments are closed.