The AlienVault Blogs: Taking On Today’s Threats

The most recent posts from across the AlienVault blogs.

Subscribe: Via Email | RSS


Late-breaking discoveries and in-depth analysis.

Subscribe: Via Email | RSS


Practical, how-to advice, tips and guidance.

Subscribe: Via Email | RSS

Latest Internet Explorer 0day used against Taiwan targets

Last week, Microsoft published some details regarding a new zero-day vulnerability affecting Internet Explorer that was being used in targeted attacks against Japanese targets as Fireeye published last week.

We have identified a version of the exploit hosted on a subdomain of Taiwan's Government e-Procurement System. When users visit the main webpage a Javascript code will redirect them to the exploit page if it is the first time the visit the page:

The exploit contains ROP chains to exploit Windows XP and Windows 7 systems running Internet Explorer 8 and 9. It only exploit systems running the following languages:


If the exploitation is successful the exploit downloads a payload from the IP address

That is probably a compromised server used to host the malicious payload.

The download files is called htl.jpeg and it is a executable file XORED with a one byte key (0x95).

Once executed the malware try to contact the following C&C servers:



The dropper creates the following files:



It sends the following HTTP requests:




We will continue to post more information about this threat including attribution.


Stay safe!


Blog Home
Get Email Updates

Labs Research
Security Essentials
All Blogs

Gartner MQ

Featured Content

Our Authors:

AlienVault Labs