Symantec has discovered an Internet Explorer zero-day vulnerability used in limited targeted attacks in South Korea. According to a blog post on the firm’s website, it appears the exploit was hosted on a web page which would suggest the perpetrators used spear-phishing emails or watering hole attacks to compromise users.
The hackers took advantage of the Microsoft Internet Explorer Scripting Engine Remote Memory Corruption Vulnerability (CVE-2016-0189) before Microsoft had a chance to fix it in its latest Patch Tuesday release.
Symantec Security Response said:
“The exploit’s landing page contained JavaScript code that profiled the computer belonging to the user visiting the site. The code checked to see if the computer was a virtual machine, and determined which version of Internet Explorer, Flash, and Windows was running on the computer.”
“This information was then sent back to a website with South Korea’s top-level domain (TLD), .co.kr, in the URL.”
“The JavaScript then delivered the exploit in an obfuscated VBScript file. If the exploit succeeded, it downloaded a malicious file from a .co.kr website.”
“Once the file was downloaded, the exploit code decrypted it by XORing the file with the value 0x55164975. The file was then saved to the computer as %Temp%\rund11.dll.”
“The final payload is unknown at this time.”
The motivation behind the attack is currently unclear, but hacks on South Korean entities often involve espionage or sabotage with the intention of gaining remote access, stealing sensitive data or wiping hard drives.
Zero-day exploits are continuing to become more prevalent with the number of vulnerabilities discovered seeing dramatic increases over the last couple of years. Symantec’s Internet Security Threat Report revealed a record high of 54 found in 2015; a 125% rise from 2014.
Speaking to Infosecurity Symantec’s EMEA chief strategist Sian John said that discovering and targeting vulnerabilities in websites and software is now becoming a go-to approach for increasingly sophisticated cyber-criminals.
“Targeting website or software vulnerabilities is an appealing technique for cyber-criminals as it allows them to exploit the issue multiple times, often accessing thousands of people’s personal details before the issue is identified and publically disclosed. This can also happen if a relevant patch is not available or hasn‘t been applied quickly enough.”
However, John added that there are a few easy steps that users can take to help protect against zero-day attacks, such as keeping security software and operating systems up-to-date at all times.
“These updates frequently include series of patches that tackle newly discovered vulnerabilities exploited by cyber-criminals. Additionally, it’s important to remain wary of e-mails from unrecognized contacts that contain attachments.”
Symantec’s investigation into the attack is ongoing, but in the meantime users are advised to implement the patch for the Internet Explorer vulnerability as soon as possible.