The AlienVault Blogs
Taking On Today’s Threats
September 26, 2013

Latest Internet Explorer 0day used against Taiwan targets

Last week, Microsoft published some details regarding a new zero-day vulnerability affecting Internet Explorer that was being used in targeted attacks against Japanese targets as Fireeye published last week.

We have identified a version of the exploit hosted on a subdomain of Taiwan's Government e-Procurement System. When users visit the main webpage a Javascript code will redirect them to the exploit page if it is the first time the visit the page:

The exploit contains ROP chains to exploit Windows XP and Windows 7 systems running Internet Explorer 8 and 9. It only exploit systems running the following languages:


If the exploitation is successful the exploit downloads a payload from the IP address

That is probably a compromised server used to host the malicious payload.

The download files is called htl.jpeg and it is a executable file XORED with a one byte key (0x95).

Once executed the malware try to contact the following C&C servers:



The dropper creates the following files:



It sends the following HTTP requests:




We will continue to post more information about this threat including attribution.


Stay safe!



Get the latest
security news in
your inbox.

Subscribe via Email

Labs Research
Security Essentials
All Blogs

Gartner MQ

Featured Content