Endpoint Protection

 View Only

New Internet Explorer zero-day exploited in Hong Kong attacks 

Aug 19, 2015 12:21 PM

IE zeroday hong kong 1.jpg

A newly patched zero-day vulnerability in Internet Explorer has already been exploited in attacks involving a compromised website belonging to an evangelical church in Hong Kong. Symantec telemetry revealed an exploit hosted on the compromised site, which was used to infect visitors with the Korplug back door (detected by Symantec as Backdoor.Korplug).

The attackers compromised the website of the Evangelical Lutheran Church of Hong Kong and modified it to host a malicious iFrame which redirected visitors to another website hosting an exploit of the Microsoft Internet Explorer Remote Memory Corruption Vulnerability (CVE-2015-2502). The IP address of this website is

This website hosts a file called vvv.html, which redirects to one of two other files called a.js and b.js and leads to the download of a file called java.html to the victim’s computer. Java.html installs Korplug on the computer, in the form of an executable called c.exe.

IE zeroday hong kong 2.png
Figure 1. Malicious iFrame hosted on compromised Hong Kong website

Korplug (also known as PlugX) is a Trojan that maintains a back door on an infected computer and facilitates information stealing. Symantec has previously released several blogs around Korplug. The malware has been used in a range of attacks, mainly in Asia, over the past three years.

IE zeroday hong kong 3.png
Figure 2. Zero-day exploit leads to Korplug infection

The new Internet Explorer zero-day bug was patched yesterday by Microsoft as part of Security Bulletin MS15-093. The vulnerability permits remote code execution if a user views a specially crafted web page using Internet Explorer. Successful exploitation of the vulnerability will grant the attacker the same user rights as the current user. Microsoft’s security update resolves this issue by modifying how Internet Explorer handles objects in memory.

Symantec and Norton products protect against the exploit of this vulnerability with the following detections:


Intrusion Prevention System

The payload used in these attacks is detected as:

0 Favorited
0 Files

Tags and Keywords

Related Entries and Links

No Related Resource entered.