A newly patched zero-day vulnerability in Internet Explorer has already been exploited in attacks involving a compromised website belonging to an evangelical church in Hong Kong. Symantec telemetry revealed an exploit hosted on the compromised site, which was used to infect visitors with the Korplug back door (detected by Symantec as Backdoor.Korplug).
The attackers compromised the website of the Evangelical Lutheran Church of Hong Kong and modified it to host a malicious iFrame which redirected visitors to another website hosting an exploit of the Microsoft Internet Explorer Remote Memory Corruption Vulnerability (CVE-2015-2502). The IP address of this website is 126.96.36.199.
This website hosts a file called vvv.html, which redirects to one of two other files called a.js and b.js and leads to the download of a file called java.html to the victim’s computer. Java.html installs Korplug on the computer, in the form of an executable called c.exe.
Figure 1. Malicious iFrame hosted on compromised Hong Kong website
Korplug (also known as PlugX) is a Trojan that maintains a back door on an infected computer and facilitates information stealing. Symantec has previously released several blogs around Korplug. The malware has been used in a range of attacks, mainly in Asia, over the past three years.
Figure 2. Zero-day exploit leads to Korplug infection
The new Internet Explorer zero-day bug was patched yesterday by Microsoft as part of Security Bulletin MS15-093. The vulnerability permits remote code execution if a user views a specially crafted web page using Internet Explorer. Successful exploitation of the vulnerability will grant the attacker the same user rights as the current user. Microsoft’s security update resolves this issue by modifying how Internet Explorer handles objects in memory.
Symantec and Norton products protect against the exploit of this vulnerability with the following detections:
Intrusion Prevention System
The payload used in these attacks is detected as: