Last week, Microsoft published some details regarding a new zero-day vulnerability affecting Internet Explorer that was being used in targeted attacks against Japanese targets as Fireeye published last week.
The exploit contains ROP chains to exploit Windows XP and Windows 7 systems running Internet Explorer 8 and 9. It only exploit systems running the following languages:
If the exploitation is successful the exploit downloads a payload from the IP address 126.96.36.199:
That is probably a compromised server used to host the malicious payload.
The download files is called htl.jpeg and it is a executable file XORED with a one byte key (0x95).
Once executed the malware try to contact the following C&C servers:
The dropper creates the following files:
It sends the following HTTP requests:
We will continue to post more information about this threat including attribution.