Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
Exploit:JS/Blacole.AT is a variant of JS/Blacole, JavaScript malware that consists of several exploits and is created by the "Blackhole" exploit kit. Exploit:JS/Blacole.AT is installed to compromised websites by an attacker. It attempts to exploit the following CVE vulnerabilities:
To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
This threat exploits known vulnerabilities in Adobe Reader, Adobe Acrobat and Java. After removing this threat, make sure that you install the updates available from the vendor. You can read more about this vulnerability in Java, as well as where to download the software update from the following links:
It may be necessary to remove older versions of Java that are still present. Keeping old and unsupported versions of Java on your system presents a serious security risk. To read more about why you should remove older versions of Java, see the following information.
Exploit:JS/Blacole.AT is a variant of JS/Blacole, JavaScript malware that consists of several exploits and is created by the "Blackhole" exploit kit. Exploit:JS/Blacole.AT is installed to compromised websites by an attacker.
Exploit:JS/Blacole.AT attempts to exploit the following CVE vulnerabilities in order to download and execute other malware:
CVE-2007-5659 - multiple buffer overflows in Adobe Reader and Acrobat
CVE-2009-0927 - stack-based buffer overflow in Adobe Reader and Acrobat
CVE-2010-0886 - unspecified vulnerability in the Java Deployment Toolkit component of Java
CVE-2010-1885 - Microsoft Windows Help Center URL Validation Vulnerability
CVE-2011-2110 - unspecified vulnerabilities in Adobe Flash Player
If the exploit code runs successfully on a vulnerable computer, the payload is executed.
Payload
Downloads other malware When a user visits a compromised website that contains the malicious script, it displays the following page and also attempts to contact a remote server to download other malware:
This variant attempts to download malware from the domain "quadsta.info". At the time of this writing, the requested URL and files were unavailable for analysis.