News
AlienVault: IE zero day targets defence and industrial companies and linked to Chinese PlugX gang
September 2012 by AlienVault
Building on the in-depth research that Jaime Blasco and his team at AlienVault released on the Chinese PlugX RAT malware late last week, the security researcher has revealed that widely reported latest – and potentially critical – zero day vulnerability in Internet Explorer may have come from the same source.
In addition, the researcher claims to have tracked several new versions of the Internet Explorer zero day flaw targeting a number of defence and industrial companies, including a US aircraft and weapons delivery systems company, a US aerospace and defence technology company and a UK defence contractor
As reported previously, the security researcher managed to track down the author of PlugX remote access trojan (RAT) malware – which has been used countless times in recent years to stage targeted attacks on many organisations around the world – after the author failed to `clean’ up the source code for the malware.
Earlier this week, Blasco’s colleagues at Rapid7 spotted a potentially major zero-day security flaw in Internet Explorer 7, 8 and 9 running under the Windows XP, Vista and Win7 operating systems (http://bit.ly/QZ4Byg).
Thanks to the in-depth research he and his team have already completed on PlugX, Blasco has traced a connection between the two security issues, after a colleague spotted a set of exploit code (an update on Moh2010.swf) on a www.nod32XX.com address.
“The file Moh2010.swf is a bit different than the previous one. It is also encrypted using DoSWF but the encrypted content is different,” he says in his latest security advisory, adding that he traced the DoSWF file – a utility used to encrypt/obfuscate Flash files – to a French (166.com.fr) email address.
Most interestingly, of all, however, is the fact that the HTTP headers on the server indicate that the files were created several days ago – i.e. before the Internet Explorer zero day vulnerability went mainstream.
The malware used a technique to bypass some of the operating system security restrictions and maintain persistence using a digitally signed program from Nvidia. Using a feature on a malicious DLL, the attackers are able to load the malicious code on the victim’s system.
Perhaps more important is the fact that the resultant payload is a version of the PlugX Remote Access Trojan that he and his team reported on last week (http://bit.ly/QZ5UgK).
Blasco concludes his report by saying that it appears that the cybercriminals actively using the PlugX malware had access to the Internet Explorer zero day security flaw several days before it was uncovered.
“Due to the similarities of the new discovered exploit code and the one discovered some days ago it is very likely that the same group is behind both instances,” he says.
