Microsoft just issued a patch for a zero-day vulnerability in Internet Explorer that has been exploited in several attacks. In one of the cases, a compromised website was hosting malicious code that generated an iframe overlay designed to look like the website itself. This then redirected unsuspecting victims to another website that installed a seemingly innocent file (java.html) that actually infected them with a dangerous piece of malware (backdoor/trojan) called Korplug.
As systems administrators and/or security engineers, we caution our users to be aware when using corporate assets (laptops, mobile devices, servers, etc.) to browse the internet, read email, or to run software. We do this because unsuspecting users are one of the most viable entry points for today’s attacks. Every day we see successful breaches that were initiated by users executing malicious email attachments, downloading files from suspicious websites, or even installing cracked software. I’m looking at you, guy in accounting with the entire Adobe Creative Suite installed on your workstation…
What’s even worse is when a user is doing ‘the right thing’ and inadvertently compromises company assets. This can be the result of a piece of malware posing as a legitimate spreadsheet or word doc attached to an email, or in this case, a hacked website that prompts users to download and execute malware.
Impact on you
This vulnerability allows an attacker to execute remote malicious code on a user’s machine when viewing the compromised website with Internet Explorer. As seen in the example above, the exploited vulnerability can be used to trick a user into downloading what they think is a java update but turns out to be a trojan virus. Once Korplug (or similar backdoor/trojan malware) is installed on a users machine, an attacker has complete control, allowing for possible privilege escalation, exfiltrating data on the user’s machine, or acting as a pivot point to access more sensitive systems.
How AlienVault Helps
AlienVault Labs continues to perform cutting edge research on threats like these, collecting large amounts of data and then creating expert threat intelligence as a result.The Labs team has already released IDS signatures and a correlation rule to the AlienVault Unified Security Management (USM) platform so customers can identify activity related to this exploit:
- Exploitation & Installation, Client Side Exploit - Known Vulnerability, Internet Explorer Memory Corruption Vulnerability (CVE-2015-2502)
- System Compromise, Backdoor, Korplug
There's an OTX pulse associated with it.
Learn more about this threat intelligence update and others in our forum.