A researcher at AlienVault has discovered three new servers delivering exploits targeting the latest zero-day vulnerability in Internet Explorer. Jamie Blasco, AlienVault Labs manager, said the one of the servers is delivering a new malware payload, and all of them appear to be targeting defense contractors in the United States and India.
The IE zero-day is a memory-corruption vulnerability that, if exploited, would give an attacker remote control over a compromised machine. The vulnerability is found in IE versions 6-9; Microsoft issued a security advisory this morning and recommended several workarounds in advance of a patch.
The four exploits appear to be linked to the same hacker group in China, known as Nitro, who were also behind exploits targeting two Java zero-day flaws. Blasco was able to identify one of the attackers as well, a virus expert known as WHG, a security expert working for a technology company in China.
The original payload in the first exploit reported yesterday was the Poison Ivy remote access Trojan. One of the new servers Blasco discovered today contains similar HTML exploit pages and a Flash movie which delivers instead the PlugX RAT.
One of the IP addresses and domains targeted by the new exploit belongs to an employee at Composite Engineering Inc., a manufacturer of high performance aerial target systems.
Another file was a version of the HTML files found in the other exploits that was being served on the webpage of the Defense News Portal in India. Code there triggers the IE vulnerability and an unknown exploit was being served as long as four days ago. The attackers have since removed the malicious content before Blasco was able to retrieve it.
“It’s important to note they had this code before it was reported,” Blasco said. “They didn’t write it off the Metasploit code.”
Metasploit released an exploit module for the bug on Monday.
The other new server hosting an exploit is a phony domain created for the LED Professional Symposium. Blasco said the attackers would likely use spear phishing to lure victims to the site. The Flash file serving the exploit is similar to the others discovered, though this one is named Grumgog.swf, named after a character in the game Warlock: Master of the Arcane. Blasco said other file names used by these attackers referenced the same game. The Flash file was also similarly encrypted as the others and licensed to the same email address.
Blasco added that the new exploits appear to be targeting only Windows XP systems running IE 7 or 8. He added that some code found in the Flash file may work against Windows 7 systems, but Blasco was unsure.