Another malicious website has been discovered hosting an exploit for the zero-day vulnerability Internet Explorer patched by Microsoft last week. This site, like the other exploits discovered, targets the defense and space industries, and is dropping an unknown payload, according to Barracuda Labs. Researcher Dave Michmerhuizen said the compromised site is not likely a drive-by attack, but instead may be included in phishing email messages to specific individuals within those respective industries.
“What makes this vulnerability so serious is that just one click on a link in such an email is all it takes to completely carry out the exploit,” Michmerhuizen wrote in a blogpost.
The site shows a WebEx meeting interface with a “Meeting Canceled” notice splashed on the page. Under the hood, two HTML pages are loaded into invisible iframe elements. One triggers the use-after-free vulnerability that bypasses Windows’ built-in ASLR protections with additional commands that will download and execute the malicious payload.
The second HTML file sets up and triggers the exploit if the user is running IE.
“The exploit triggers automatically and the result is the download and execution of a backdoor which gives the attacker full access to the computer, and, if they’re lucky, the organizational network that the computer is on,” Michmerhuizen wrote.
Previous exploits were dropping either the Poison Ivy or PlugX remote access Trojans. This malicious file discovered by Barracuda has a similar file name to the others, Grumgog.swf, named after a character in a video game. Barracuda did not identify the payload dropped here, but did call it a backdoor.
“The exploit is being used in a very targeted way, spear-phishing certain industries and installing remote backdoors,” a Barracuda spokesperson said. “The concern is that it could be replicated easily by people who sell the Black Hole exploit kit – and expose a much larger number of people.”
The vulnerability was discovered more than a week ago by researcher and Metasploit contributor Eric Romang, while monitoring infected servers hosting exploits for a pair of Java zero-day vulnerabilities discovered in August. Romang found similar HTML pages and a malicious Flash movie file serving up the Poison Ivy RAT.
He contributed to a Metasploit exploit module that was released on Monday. One day later, researchers at AlienVault discovered three more exploits targeting defense industry-related sites in the United States and India. These were dropping the PlugX RAT. All of the exploit activity is being attributed to Nitro, a group of hackers in China.
This activity prompted Microsoft to first issue recommended workarounds, followed by a FixIt solution that would temporarily mitigate the vulnerability until it released an out-of-band patch on Friday.
The vulnerability is the execCommand Use After Free flaw in IE versions 6-9. The vulnerability occurs because of a faulty way in which IE access objects in memory that have not been deleted or properly allocated. Successful exploits will give the attacker the same privileges as the user.