Latest Internet Explorer 0day used against Taiwan targets

September 26, 2013 | Jaime Blasco

Last week, Microsoft published some details regarding a new zero-day vulnerability affecting Internet Explorer that was being used in targeted attacks against Japanese targets as Fireeye published last week.

We have identified a version of the exploit hosted on a subdomain of Taiwan's Government e-Procurement System. When users visit the main webpage a Javascript code will redirect them to the exploit page if it is the first time the visit the page:

The exploit contains ROP chains to exploit Windows XP and Windows 7 systems running Internet Explorer 8 and 9. It only exploit systems running the following languages:


If the exploitation is successful the exploit downloads a payload from the IP address

That is probably a compromised server used to host the malicious payload.

The download files is called htl.jpeg and it is a executable file XORED with a one byte key (0x95).

Once executed the malware try to contact the following C&C servers:



The dropper creates the following files:

Temp mp.dat

Temp mp.dll

It sends the following HTTP requests:




We will continue to post more information about this threat including attribution.


Stay safe!

Jaime Blasco

About the Author: Jaime Blasco

Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AT&T Cybersecurity, Jaime leads the Alien Labs Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AT&T, Jaime was Chief Scientist at AlienVault. Prior to that, he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.

Read more posts from Jaime Blasco ›



Get price Free trial