Last week, Microsoft published some details regarding a new zero-day vulnerability affecting Internet Explorer that was being used in targeted attacks against Japanese targets as Fireeye published last week.
We have identified a version of the exploit hosted on a subdomain of Taiwan's Government e-Procurement System. When users visit the main webpage a Javascript code will redirect them to the exploit page if it is the first time the visit the page:
_11.43.52.png)
The exploit contains ROP chains to exploit Windows XP and Windows 7 systems running Internet Explorer 8 and 9. It only exploit systems running the following languages:
_11.49.25.png)
If the exploitation is successful the exploit downloads a payload from the IP address 210.177.74.45:
_11.51.07.png)
That is probably a compromised server used to host the malicious payload.
The download files is called htl.jpeg and it is a executable file XORED with a one byte key (0x95).
Once executed the malware try to contact the following C&C servers:
- 203.114.64.202
_12.00.10.png)
- msdn.techsofts.com
The dropper creates the following files:
Temp mp.dat
Temp mp.dll
It sends the following HTTP requests:
_12.03.26.png)
_12.03.45.png)
_12.04.19.png)
We will continue to post more information about this threat including attribution.
Stay safe!
