In an earlier blog, Symantec highlighted that we were investigating reports of a zero-day exploit affecting Internet Explorer 10 in the wild. Now we have further details on the attack leveraging this new zero-day, Microsoft Internet Explorer CVE-2014-0322 Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322).
Figure. Watering hole attack using IE 10 0-day
Anatomy of the attack
The target of this watering hole attack was the vfw.org (Veterans of Foreign Wars) website. While this attack was active, visitors to the site would encounter an IFrame which was inserted by the attackers in order to load a second compromised page (hosted on aliststatus.com) in the background. The IFrame img.html file loads a malicious tope.swf Flash file that exploits a vulnerability in Internet Explorer 10. Symantec detects the malicious IFrame as Trojan.Malscript and detects the malicious SWF file as Trojan.Swifi.
Exploitation of the vulnerability by the SWF file leads to another download from the aliststatus.com domain in order to initiate the final stages of the payload. The first part of this download is a PNG image file named erido.jpg (detected as Trojan Horse) that contains multiple embedded binaries that are then extracted by shellcode executed by the SWF file. The embedded binaries are named sqlrenew.txt, which despite the name is actually a DLL file (also detected as Trojan Horse), and stream.exe (detected as Backdoor.ZXShell).
Additional code from the SWF file is responsible for loading the sqlrenew.txt DLL file. At this point the DLL takes over and launches a stream.exe process which is the final payload. This sample is responsible for connecting back to the attacker-controlled newss.effers.com server.
Connecting the dots
Data we uncovered during our investigation suggests a connection between this attack and the malicious actors known to Symantec as Hidden Lynx. The data indicates the same infrastructure is being leveraged as found in a previous attack by this group who used Backdoor.Moudoor.
What can I do to prevent and mitigate against this attack?
Users not running Internet Explorer 10, or running a browser native to Mac OS, are not vulnerable. For Internet Explorer 10 users on Windows, possible mitigation actions include using an alternative browser, installing Microsoft's Experience Mitigation Toolkit (EMET), or upgrading to a newer version of the browser. Symantec also encourages users to apply all relevant patches when they are available.
Symantec protects customers against this attack with the following detections:
Intrusion Prevention Signatures
Our telemetry also indicates that parts of the payload were detected, in various stages, by the following heuristics detections: