Home / malwarePDF  

HTML/Costacas


First posted on 06 October 2015.
Source: Microsoft

Aliases :

There are no other names known for HTML/Costacas.

Explanation :

Threat behavior

Installation

Your PC might get infected by this threat by clicking on a link in an email, or simply by visiting either hacked or malicious websites.

Payload

This threat checks what browser and browser plug-ins you have installed. Based in this information, it checks what versions of the following plugins you have installed in your PC:

  • Shockwave Flash Player
  • Browser scripting engine


The version information is then encrypted and sent to a malicious website. We have observed this threat send encrypted version information to the following websites:

  • bzycok.key-updates.pw
  • kopoxypo.ads-youtube.pw


The malicious website can respond with exploit code that contains the vulnerability for your browser or plugins.

Exploits vulnerabilities in Adobe Flash Player and Oracle Java

The threat tries to exploit the following vulnerabilities:

  • CVE-2013-2551
  • CVE-2014-0515
  • CVE-2013-2465


Downloads malware

If your PC is vulnerable to any of these flaws, and this threat successfully exploits them, it might download more malware onto your PC. We've observed these malware families in the same PC as Costacas and the exploits:

  • Exploit:JS/Costacas
  • Exploit:VBS/Costacas
  • Exploit:Java/CVE-2013-2465


We have seen it try to download:

  • Trojan:Win32/Meteit
  • Virtool:Win32/Obfuscator.WT


Additional information

This threat is part of the exploit kit called "CottonCastle EK". See our page on exploits for more information.



Analysis by Jonathan San Jose

Symptoms

Alerts from your security software may be the only symptom.

Last update 06 October 2015

 

TOP