Latest Internet Explorer 0day used against Taiwan targets

September 26, 2013  |  Jaime Blasco

Last week, Microsoft published some details regarding a new zero-day vulnerability affecting Internet Explorer that was being used in targeted attacks against Japanese targets as Fireeye published last week.

We have identified a version of the exploit hosted on a subdomain of Taiwan's Government e-Procurement System. When users visit the main webpage a Javascript code will redirect them to the exploit page if it is the first time the visit the page:

The exploit contains ROP chains to exploit Windows XP and Windows 7 systems running Internet Explorer 8 and 9. It only exploit systems running the following languages:


If the exploitation is successful the exploit downloads a payload from the IP address

That is probably a compromised server used to host the malicious payload.

The download files is called htl.jpeg and it is a executable file XORED with a one byte key (0x95).

Once executed the malware try to contact the following C&C servers:


- msdn.techsofts.com

The dropper creates the following files:

Temp mp.dat

Temp mp.dll

It sends the following HTTP requests:




We will continue to post more information about this threat including attribution.


Stay safe!

Share this with others


Featured resources



2024 Futures Report

Get price Free trial