Given that Microsoft has closed the Internet Explorer 0-day vulnerability that was exploited to compromise US-based defense and financial firms, the Sourcefire vulnerability research team has decided to share some more details about the exploit.
The exploit condition was not that obvious, they say, but was found in a Flash SWF file that accompanied the malicious sample. The file was made to perform a heap spray to facilitate the code execution, but also contained the actual IE exploit, which is unusual.
The email campaign delivering the exploit code used a variety of ruses: emails about refinance reports, updated galleries, registration confirmation:
They also shared the domains from which the malicious code was downloaded so that admins could block access to them: profile.sweeneyphotos.com, web.neonbilisim.com, web.usamultimeters.com, and inform.bedircati.com.
Also, on the day that the patch for the bug was pushed out, FireEye researchers have noted that the attackers have begun using a new version of the attack – one that targets Windows XP machines running IE 8. This could definitely explain why Microsoft has decided to push out an update for Windows XP, as well.
“We have also observed that multiple, new threat actors are now using the exploit in attacks and have expanded the industries they are targeting. In addition to previously observed attacks against the Defense and Financial sectors, organization in the Government- and Energy-sector are now also facing attack,” the researchers shared.