After having discovered a new IE zero-day exploit being actively used in the wild, FireEye researchers have revealed that the watering hole attack is more than likely mounted by the same Chinese hacker group that orchestrated Operation DeputyDog and the attack on Bit9.
“The exploit leverages a new information leakage vulnerability and an IE out-of-bounds memory access vulnerability to achieve code execution,” they explained in a blog post on Friday.
The two flaws are chained together to deliver the correct ROP chain needed to compromise the specific version of IE that the user who visits the compromised site and triggers the exploit uses.
“The memory access vulnerability is designed to work on Windows XP with IE 7 and 8, and on Windows 7,” they shared. “The exploit targets the English version of Internet Explorer, but we believe the exploit can be easily changed to leverage other languages. Based on our analysis, this vulnerability affects IE 7, 8, 9, and 10.”
The “watering hole” site that hosts the exploit is based in the US and a popular stop for visitors interested in national and international security, the researchers say, but they didn’t name it. Visitors whose browser was vulnerable to the exploit had a Remote Access Trojan (RAT) dropped onto their computers.
“This payload has been identified as a variant of Trojan.APT.9002 (aka Hydraq/McRAT variant) and runs in memory only. It does not write itself to disk, leaving little to no artefacts that can be used to identify infected endpoints,” they pointed out. “Specifically, the payload is shellcode, which is decoded and directly injected into memory after successful exploitation via a series of steps.”
This “diskless” RAT is not persistent – a simple reboot removes it from the system. Its use makes the researchers believe that the attackers are either sure that the victims will visit the same site very often and consequently get infected again, or that even a short time-frame will be enough for the attackers to gain access to other systems within the organization by moving laterally.
According to the researchers, the C&C infrastructure used in this campaign is the same one used in the DeputyDog campaign. Also, Bit9 has pointed out that the Hydraq/McRAT Trojan has also been used in the attack that targeted their network, as well as in Operation Aurora back in 2010.
“By utilizing strategic Web compromises along with in-memory payload delivery tactics and multiple nested methods of obfuscation, this campaign has proven to be exceptionally accomplished and elusive. APT actors are clearly learning and employing new tactics,” the researchers concluded, adding that they expect the hacker group to continue to launch new campaigns for the foreseeable future.
While this attack is extremely targeted and and limited, users should be aware that the attack can be mitigated by Microsoft’s EMET.