Video Screencast Help
Connect will be READ ONLY as of February 14 and no new content will be posted. Click here to see the migration details and dates.
Security Response

New Internet Explorer zero-day exploited in Hong Kong attacks

Bug patched by Microsoft yesterday (CVE-2015-2502) has already been exploited in watering hole attacks to deliver Korplug malware.
Created: 19 Aug 2015 16:21:34 GMT • Updated: 21 Aug 2015 13:04:10 GMT • Translations available: 简体中文, 繁體中文, 日本語
Symantec Security Response's picture
+2 2 Votes
Login to vote

IE zeroday hong kong 1.jpg

A newly patched zero-day vulnerability in Internet Explorer has already been exploited in attacks involving a compromised website belonging to an evangelical church in Hong Kong. Symantec telemetry revealed an exploit hosted on the compromised site, which was used to infect visitors with the Korplug back door (detected by Symantec as Backdoor.Korplug).

The attackers compromised the website of the Evangelical Lutheran Church of Hong Kong and modified it to host a malicious iFrame which redirected visitors to another website hosting an exploit of the Microsoft Internet Explorer Remote Memory Corruption Vulnerability (CVE-2015-2502). The IP address of this website is

This website hosts a file called vvv.html, which redirects to one of two other files called a.js and b.js and leads to the download of a file called java.html to the victim’s computer. Java.html installs Korplug on the computer, in the form of an executable called c.exe.

IE zeroday hong kong 2.png
Figure 1. Malicious iFrame hosted on compromised Hong Kong website

Korplug (also known as PlugX) is a Trojan that maintains a back door on an infected computer and facilitates information stealing. Symantec has previously released several blogs around Korplug. The malware has been used in a range of attacks, mainly in Asia, over the past three years.

IE zeroday hong kong 3.png
Figure 2. Zero-day exploit leads to Korplug infection

The new Internet Explorer zero-day bug was patched yesterday by Microsoft as part of Security Bulletin MS15-093. The vulnerability permits remote code execution if a user views a specially crafted web page using Internet Explorer. Successful exploitation of the vulnerability will grant the attacker the same user rights as the current user. Microsoft’s security update resolves this issue by modifying how Internet Explorer handles objects in memory.

Symantec and Norton products protect against the exploit of this vulnerability with the following detections:


Intrusion Prevention System

The payload used in these attacks is detected as: