Attackers have exploited an Internet Explorer zero-day vulnerability in limited targeted attacks that affected South Korea. The exploit for the Microsoft Internet Explorer Scripting Engine Remote Memory Corruption Vulnerability (CVE-2016-0189) appears to have been hosted on a web page, which suggests that attackers used spear-phishing emails or watering hole attacks to compromise users.
Microsoft fixed the zero-day vulnerability in its latest Patch Tuesday release.
Attacks against CVE-2016-0189
Attackers took advantage of the CVE-2016-0189 vulnerability before Microsoft patched it. They may have distributed the exploit through a link included in a spear-phishing email or a compromised, legitimate website that redirected users to the exploit.
The exploit’s landing page contained JavaScript code that profiled the computer belonging to the user visiting the site. The code checked to see if the computer was a virtual machine, and determined which version of Internet Explorer, Flash, and Windows was running on the computer.
This information was then sent back to a website with South Korea’s top-level domain (TLD), .co.kr, in the URL.
The JavaScript then delivered the exploit in an obfuscated VBScript file. If the exploit succeeded, it downloaded a malicious file from a .co.kr website.
Once the file was downloaded, the exploit code decrypted it by XORing the file with the value 0x55164975. The file was then saved to the computer as %Temp%\rund11.dll.
The final payload is unknown at this time.
South Korea impacted
The Internet Explorer zero-day attack impacted South Korea, which is known to rely on this web browser. In 1999, South Korea introduced a law that required online vendors to adopt Microsoft ActiveX to use the region’s SEED cipher for transactions. Internet Explorer is the only browser to support ActiveX. While South Korea has since planned to scrap this regulation, the region is still heavily dependent on this web browser.
This threat is just one of the many zero-day attacks that have affected South Korea. For example, last year, attackers used a well-designed threat known as Backdoor.Duuzer to target South Korean organizations. They spread Duuzer variants through zero-day exploits for the South Korean word processor Hangul.
The motivations of attacks affecting South Korean organizations often involve espionage or sabotage. Attackers have been observed targeting South Korean entities to gain remote access to their computers, steal sensitive data, or wipe hard drives.
Symantec is continuing to investigate this attack and will provide updates when available.
Mitigation
Users should implement the patch for the affected Internet Explorer vulnerability as soon as possible.
Additionally, Symantec recommends that users adhere to the following best practices to prevent their computers from being compromised:
- Delete any suspicious-looking emails you receive, especially if they contain links or attachments. Spear-phishing emails are frequently used by cyberespionage attackers as a means of luring victims into opening malicious files.
- Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities which are frequently exploited by attackers.
- Keep security software up-to-date with the latest definitions
Protection
Symantec protects users against this exploit with the following detections:
Intrusion prevention system