Interactive Demo
The AlienVault Blogs: Taking On Today’s Threats
Latest

The most recent posts from across the AlienVault blogs.

Labs

Late-breaking discoveries and in-depth analysis.

How-To

Practical, how-to advice, tips and guidance.

Hot

Perspectives on trends and industry happenings.

Latest Internet Explorer 0day used against Taiwan targets

Last week, Microsoft published some details regarding a new zero-day vulnerability affecting Internet Explorer that was being used in targeted attacks against Japanese targets as Fireeye published last week.

We have identified a version of the exploit hosted on a subdomain of Taiwan's Government e-Procurement System. When users visit the main webpage a Javascript code will redirect them to the exploit page if it is the first time the visit the page:

The exploit contains ROP chains to exploit Windows XP and Windows 7 systems running Internet Explorer 8 and 9. It only exploit systems running the following languages:

 

If the exploitation is successful the exploit downloads a payload from the IP address 210.177.74.45:

That is probably a compromised server used to host the malicious payload.

The download files is called htl.jpeg and it is a executable file XORED with a one byte key (0x95).

Once executed the malware try to contact the following C&C servers:

- 203.114.64.202

- msdn.techsofts.com

The dropper creates the following files:

\Temp\tmp.dat

\Temp\tmp.dll

It sends the following HTTP requests:

 

 

 

We will continue to post more information about this threat including attribution.

 

Stay safe!

Posted in:

Tags:

Next
Previous
Blog Home