Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Response

New Internet Explorer 10 Zero-Day Discovered in Watering Hole Attack

Created: 14 Feb 2014 23:58:13 GMT • Updated: 17 Feb 2014 19:20:26 GMT • Translations available: 日本語
Symantec Security Response's picture
+3 3 Votes
Login to vote

In an earlier blog, Symantec highlighted that we were investigating reports of a zero-day exploit affecting Internet Explorer 10 in the wild. Now we have further details on the attack leveraging this new zero-day, Microsoft Internet Explorer CVE-2014-0322 Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322).

IE 0 day edit.png

Figure. Watering hole attack using IE 10 0-day

Anatomy of the attack

The target of this watering hole attack was the vfw.org (Veterans of Foreign Wars) website. While this attack was active, visitors to the site would encounter an IFrame which was inserted by the attackers in order to load a second compromised page (hosted on aliststatus.com) in the background. The IFrame img.html file loads a malicious tope.swf Flash file that exploits a vulnerability in Internet Explorer 10. Symantec detects the malicious IFrame as Trojan.Malscript and detects the malicious SWF file as Trojan.Swifi.

Exploitation of the vulnerability by the SWF file leads to another download from the aliststatus.com domain in order to initiate the final stages of the payload. The first part of this download is a PNG image file named erido.jpg (detected as Trojan Horse) that contains multiple embedded binaries that are then extracted by shellcode executed by the SWF file. The embedded binaries are named sqlrenew.txt, which despite the name is actually a DLL file (also detected as Trojan Horse), and stream.exe (detected as Backdoor.ZXShell).

Additional code from the SWF file is responsible for loading the sqlrenew.txt DLL file. At this point the DLL takes over and launches a stream.exe process which is the final payload. This sample is responsible for connecting back to the attacker-controlled newss.effers.com server.

Connecting the dots

Data we uncovered during our investigation suggests a connection between this attack and the malicious actors known to Symantec as Hidden Lynx. The data indicates the same infrastructure is being leveraged as found in a previous attack by this group who used Backdoor.Moudoor.

What can I do to prevent and mitigate against this attack?

Users not running Internet Explorer 10, or running a browser native to Mac OS, are not vulnerable. For Internet Explorer 10 users on Windows, possible mitigation actions include using an alternative browser, installing Microsoft's Experience Mitigation Toolkit (EMET), or upgrading to a newer version of the browser. Symantec also encourages users to apply all relevant patches when they are available.

Symantec protects customers against this attack with the following detections:

Antivirus

Intrusion Prevention Signatures

Our telemetry also indicates that parts of the payload were detected, in various stages, by the following heuristics detections: