The AlienVault Blogs
Taking On Today’s Threats
September 26, 2013

Latest Internet Explorer 0day used against Taiwan targets

Last week, Microsoft published some details regarding a new zero-day vulnerability affecting Internet Explorer that was being used in targeted attacks against Japanese targets as Fireeye published last week.

We have identified a version of the exploit hosted on a subdomain of Taiwan's Government e-Procurement System. When users visit the main webpage a Javascript code will redirect them to the exploit page if it is the first time the visit the page:

The exploit contains ROP chains to exploit Windows XP and Windows 7 systems running Internet Explorer 8 and 9. It only exploit systems running the following languages:

 

If the exploitation is successful the exploit downloads a payload from the IP address 210.177.74.45:

That is probably a compromised server used to host the malicious payload.

The download files is called htl.jpeg and it is a executable file XORED with a one byte key (0x95).

Once executed the malware try to contact the following C&C servers:

- 203.114.64.202

- msdn.techsofts.com

The dropper creates the following files:

\Temp\tmp.dat

\Temp\tmp.dll

It sends the following HTTP requests:

 

 

 

We will continue to post more information about this threat including attribution.

 

Stay safe!

TAGS:

‹ BACK TO ALL BLOGS

Get the latest
security news in
your inbox.

Subscribe via Email

Labs Research
Security Essentials
All Blogs

Gartner MQ

Featured Content

Chat