Symantec has discovered a zero-day exploit for a popular Chinese gaming platformthat is currently active in the wild. The exploit targets twovulnerable methods in the file HanGamePluginCn18.dll (referenced byCLSID:61F5C358-60FB-4A23-A312-D2B556620F20), causing a buffer overflowcondition.
The exploit attempts to download a malicious file from mm[dot]sqmnoopt[dot]com, which is detected as Downloader.Additionally, a configuration file is downloaded fromcnxz[dot]kv8[dot]info, which contains links to 27 malicious executablesdownloaded from 444[dot]sqmnoopt[dot]com and 2[dot]kv8[dot]info. Thesefiles are detected as Infostealer.Gampass
The vendor has been contacted, and Symantec is performing deeperanalysis of this exploit, with addition information to be posted as itbecomes available.