Home / malware HTML/Costacas
First posted on 06 October 2015.
Source: MicrosoftAliases :
There are no other names known for HTML/Costacas.
Explanation :
Threat behavior
Installation
Your PC might get infected by this threat by clicking on a link in an email, or simply by visiting either hacked or malicious websites.
Payload
This threat checks what browser and browser plug-ins you have installed. Based in this information, it checks what versions of the following plugins you have installed in your PC:
- Shockwave Flash Player
- Browser scripting engine
The version information is then encrypted and sent to a malicious website. We have observed this threat send encrypted version information to the following websites:
- bzycok.key-updates.pw
- kopoxypo.ads-youtube.pw
The malicious website can respond with exploit code that contains the vulnerability for your browser or plugins.
Exploits vulnerabilities in Adobe Flash Player and Oracle Java
The threat tries to exploit the following vulnerabilities:
- CVE-2013-2551
- CVE-2014-0515
- CVE-2013-2465
Downloads malware
If your PC is vulnerable to any of these flaws, and this threat successfully exploits them, it might download more malware onto your PC. We've observed these malware families in the same PC as Costacas and the exploits:
- Exploit:JS/Costacas
- Exploit:VBS/Costacas
- Exploit:Java/CVE-2013-2465
We have seen it try to download:
- Trojan:Win32/Meteit
- Virtool:Win32/Obfuscator.WT
Additional information
This threat is part of the exploit kit called "CottonCastle EK". See our page on exploits for more information.
Analysis by Jonathan San Jose
Symptoms
Alerts from your security software may be the only symptom.
Last update 06 October 2015
