EXECUTIVE SUMMARY:
FireEye published a blog on a new unpatched vulnerability in Microsoft Internet Explorer 10 (CVE-2014-0322) being exploited in the wild on 2/14/2014. The compromised website (vwg[.]org) was injected with an iframe that redirects the user to the attacker’s malicious page, which then runs a Flash file. The Flash file contains shell code and it downloads a PNG file from a remote site upon successful execution of the IE vulnerability. The PNG file has a DLL and EXE embedded at the bottom. The DLL launches the EXE which is the payload.
Data uncovered during Symantec investigation suggests a connection between this attack and the malicious actors known to Symantec as Hidden Lynx. The data indicates the same infrastructure is being leveraged as found in a previous attack by this group who used Backdoor.Moudoor.
THREAT DETAILS:
The target of this watering hole attack was the vfw[.]org (Veterans of Foreign Wars) website. While this attack was active, visitors to the site would encounter an Iframe which was inserted by the attackers in order to load a second compromised page (hosted on aliststatus[.]com) in the background. The Iframe img.html file loads a malicious tope.swf Flash file that exploits a vulnerability in Internet Explorer 10. Symantec detects the malicious Iframe as Trojan.Malscript and detects the malicious SWF file as Trojan.Swifi.
Exploitation of the vulnerability by the SWF file, leads to another download from the aliststatus[.]com domain in order to initiate the final stages of the payload. The first part of this download is a PNG image file named erido.jpg (detected as Trojan Horse) that contains multiple embedded binaries that are then extracted by shell code executed by the SWF file. The embedded binaries are named sqlrenew.txt, which despite the name is actually a DLL file (also detected as Trojan Horse), and stream.exe (detected as Backdoor.Winnti.C or Backdoor.ZXShell).
Additional code from the SWF file is responsible for loading the sqlrenew.txt DLL file. At this point the DLL takes over and launches a stream.exe process which is the final payload. This sample is responsible for connecting back to the attacker-controlled newss[.]effers[.]com server.
Figure: Watering hole attack using IE 10 Zero-Day
IMPACT:
- Users not running Internet Explorer 10, or running a browser native to Mac OS, are not vulnerable. For Internet Explorer 10 users on Windows.
- An attacker who successfully exploited this vulnerability could gain the same rights as the currently logged on user.
- Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative privileges.
AFFECTED SOFTWARE:
- Microsoft Internet Explorer 10
SYMANTEC MSS SOC DETECTION CAPABILITIES:
MSS Detection
- [MSS URL Detection] Backdoor.Winnti.C possible C&C traffic
Vendor Detection
- Symantec AV
Trojan.Malscript (Malicious Web Page)
Trojan.Swifi (Malicious File)
Trojan Horse (Malicious DLL)
Trojan Horse (Downloaded PNG file)
Backdoor.Winnti.C (Payload)
SONAR.Heuristic.112
Suspicious.Cloud.2
WS.Trojan.H
- Symantec IPS
Web Attack: Malicious SWF Download 19
Web Attack: MSIE Generic Browser Exploit 3
- Snort/SourceFire
2018147 ET WEB_CLIENT Possible IE10 Use After Free CVE-2014-0322
MITIGATION STRATEGIES:
Microsoft Internet Explorer users who are concerned about this vulnerability and who are unable to patch their machines can follow these mitigation steps:
- Symantec recommends customers use a layered approach to securing their environment, utilizing the latest Symantec technologies, including enterprise-wide security monitoring from Edge to Endpoint.
- Do not use Microsoft Internet Explorer version 10, upgrade to the newest version of Internet Explorer (11), or use another browser.
- Deploy the Enhanced Mitigation Experience Toolkit (EMET).
- Do not use out of date software, keep your operating system and software up to date with the latest versions and security patches.
- Run all software as a non-privileged user with minimal access rights.
- To reduce the impact of latent vulnerabilities, always run non-administrative software as an unprivileged user with minimal access rights.
- Deploy network intrusion detection systems to monitor network traffic for malicious activity.
- Do not follow links or open email attachments provided by unknown or untrusted sources.
- Memory-protection schemes (such as non-executable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.
- Symantec encourages users to apply all relevant patches when they are available.
REFERENCES:
- New Internet Explorer 10 Zero-Day Discovered in Watering Hole Attack
- NIST Vulnerability Summary for CVE-2014-0322
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2014-0322
- New IE Zero-Day Found in Watering Hole Attack
- Security Focus BID 65551
http://www.securityfocus.com/bid/65551
We thank you again for choosing Symantec as your Managed Security Services Provider. Should you have any questions or feedback, please contact your Services Manager, or the Analysis Team can be reached by requesting help via phone, e-mail, or visiting the MSS portal at https://mss.symantec.com.
Global Client Services Team
Symantec Managed Security Services