IE “Unicorn” bug actively exploited in the wild

Last week, in its regular Patch Tuesday, Microsoft patched a number of serious vulnerabilities, including one that is nearly two decades old, dating back to Microsoft IE 3.0.

Discovered by the IBM X-Force Research team, the bug (CVE-2014-6332) can be exploited in drive-by attacks to take over the user’s machine, as it allows attackers to sidestep the Enhanced Protected Mode sandbox in IE 11 as well as the Microsoft’s free EMET anti-exploitation tool.

It didn’t take long for someone to make publicly available a proof-of-concept exploit for the flaw, and it took even less time for this particular exploit code to be modified and used by cyber criminals.

ESET researchers have spotted an active malware delivery campaign using the exploit to target users who visited a specific web page (about TV Reality show winners) on a popular Bulgarian news agency website.

“Strangely, the exploit is actually present two times consecutively,” they shared. But, the delivered payload is the same in both cases: a file named natmasla.exe.

The delivered malware can be used to launch DDoS attacks, open remote shells for the attackers to misuse, collect information and send it to its C&C server, and so on.

“Although we were not able to link this particular incident to a known exploit kit, it is a matter of time before mainstream kits integrate this vulnerability. Since all supported versions of Windows were vulnerable to this exploit before the patch was released last week, we can expect this vulnerability conversion rate to be very high,” ESET researchers pointed out, then advised everyone to update their IE if they haven’t yet.

NSS Labs researchers have also spotted reliable exploits currently taking advantage of the bug, but have concentrated on analyzing the dropped malware and haven’t said much about the exploit itself.




Share this