This kit appears to be popping up, so far, on compromised wordpress sites, so make sure you have wordpress and any themes/plugins updated.
FireAMP and ClamAV detect the dropped executable, and Snort rules for this kit are sids 30001 through 30009, and will be published in the next rule release.
The exploit URLs look like this:
Step 1 - Initial landing page from iframe injected in another site
Step 2 - Submit hash of fonts + user agent, and direct the browser to the kitchen sink of six different exploits
Step 3 - various different exploits, based on various conditions
hxxp://compromised.example/wp-includes/pomo/dtsrc.php?a=XXX -- where XXX is one of the below
h2 == java < v1.7.17
h3 == chrome w/ java < v1.7.17
h4 == msie 6 and winver < 6 (below Vista)
h5 == java < v1.7.17 and msie 7 and winver < 6 (below Vista)
h6 == msie 8 and winver < 6 (below Vista)
h7 == java < v1.6.32, or lower
r2 == malicious java JAR
r7 == malicious java JAR
dwe == malicious PE executable
Here are the hashes of the malicious files we downloaded:
SHA256: 164de09635532bb0a4fbe25ef3058b86dac332a03629fc91095a4c7841b559da dtsrc.php?a=dwe
We'll be posting more results as investigation continues.
Update: Our colleagues over in the TRAC group wrote about this back in September. http://blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/ when the attack was a bit more confined.
Update 2: This is actually formerly detected as the "LightsOut" exploit kit. It seems to come and go and is used by different groups.