There are at least two different groups running attacks exploiting the recently published zero day vulnerability in Internet Explorer 10, and researchers say one of the groups used the bug to impersonate a French aerospace manufacturer and compromise victims visiting the spoofed Web page. The attackers also used a special feature of their malware to change portions of the Windows host file to steal credentials when users visit secure sites.
Last week, researchers at FireEye identified a compromised page on the site of the Veterans of Foreign Wars and discovered that it was being used to exploit visitors using the IE zero day. The company said that the attack bore some resemblance to previous operations from a known group that also incorporated zero days. However, researchers at Seculert said that there also appears to have been a second, separate attack by an unaffiliated group of attackers.
“Our analysis reveals that a totally different malware than ZXShell, the culprit as identified by FireEye, was used and has the following capabilities: backdoor (Remote Access Tool), downloader, and information stealer (Figure 2). The malware drops 2 files: MediaCenter.exe – a copy of itself, and MicrosoftSecurityLogin.ocx, which is registered as an ActiveX – used by malware to steal information from browsing sessions. Once installed the malware communicates with a criminal command and control server (C&C). Seculert’s investigation has concluded that the C&C is hosted on the same server as the exploit, located in the United States. Moreover, typical red flags would remain unraised as the malware itself has a valid digital certificate. The certificate belongs to MICRO DIGITAL INC. and is valid since March 21, 2012,” Aviv Raff, CTO of Seculert, wrote in an analysis of the attack.
The attackers are using the malware to change the host files on infected machines and add in several secure domains for French aerospace companies. This kind of behavior has been seen in the past from attackers running so-called pharming campaigns, in which compromised machines are used to send traffic to phishing sites. This attack group is using the host-file modification for a different reason, though.
“But what is disturbing about this attack is that the same behavior accomplished a completely different goal. The domains that were added to the hosts file by the malware provide remote access to the employees, partners, and 3rd party vendors of a specific multinational aircraft and rocket engine manufacturer. The IPs added belong to the real remote access web servers and by adding the records to the hosts file the attackers ensured that there would be no DNS connectivity issues. Whenever the infected machines connect to the remote assets, the attackers are able to steal the sensitive credentials. This is the first time we have seen a malware change a hosts file for a purpose other than fraud perpetuated by pharming or for disabling access to specific websites,” Raff said.
Given the differences in the attack methodology and the malware used, as well as the C&C infrastructure, Raff said the logical conclusion is that there are two different groups using the IE 10 0-day.
“The main differences in this attack lead us to conclude that the group behind the attack is different than previously hypothesized,” Raff said.
Image from Flickr photos of Jeremy Seitz.