Researchers share details about recent IE 0-day exploit and its delivery
Given that Microsoft has closed the Internet Explorer 0-day vulnerability that was exploited to compromise US-based defense and financial firms, the Sourcefire vulnerability research team has decided to share some more details about the exploit.
“The first thing to notice is that even though CVE 2014-1776 is an Internet Explorer vulnerability that uses Javascript to cause exploitation, there was almost no obfuscation of the code,” they noted. “Usually multiple layers of obfuscation are used and free javascript obfuscators are layered on top of each other to make it difficult for researchers and detection devices to identify what is happening in the code. Instead, almost all the functions and variables were there in plain sight.”
The exploit condition was not that obvious, they say, but was found in a Flash SWF file that accompanied the malicious sample. The file was made to perform a heap spray to facilitate the code execution, but also contained the actual IE exploit, which is unusual.
The email campaign delivering the exploit code used a variety of ruses: emails about refinance reports, updated galleries, registration confirmation:
They also shared the domains from which the malicious code was downloaded so that admins could block access to them: profile.sweeneyphotos.com, web.neonbilisim.com, web.usamultimeters.com, and inform.bedircati.com.
Also, on the day that the patch for the bug was pushed out, FireEye researchers have noted that the attackers have begun using a new version of the attack – one that targets Windows XP machines running IE 8. This could definitely explain why Microsoft has decided to push out an update for Windows XP, as well.
“We have also observed that multiple, new threat actors are now using the exploit in attacks and have expanded the industries they are targeting. In addition to previously observed attacks against the Defense and Financial sectors, organization in the Government- and Energy-sector are now also facing attack,” the researchers shared.