Kaspersky Lab researchers recently came across a compromised Korean news site, minjok.com, which was pushing a malicious Java applet exploiting the CVE-2013-0422 vulnerability. The same vulnerability was recently exploited in attacks on Reporters Without Borders and NBC.com.
The site has since been taken down, though the researchers say they've also found a similar infection on a Chinese news site -- because the sites cover news about China and North Korea, Kaspersky Lab's Dmitry Tarakanov notes, they're logical targets for a watering hole attack.
According to Tarakanov, a single line of code directs the visitor's browser to download and execute a malicious Java applet, which then downloads and runs a malicious executable disguised as a GIF file. The executable installs a file called agentm.exe in a temp folder and creates a registry value to run agentm.exe every time the infected computer starts up.
Agentm.exe is a backdoor which connects to the command and control server. "The backdoor is pretty simple: it is able to perform just two actions by commands from the C&C -- to download for execution a Dynamic Link Library and to uninstall itself. ... The C&C doesn’t send additional libraries to an infected machine instantly; attackers push them when they explore what the computer has been netted," Tarakanov writes.