• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Exploits   »   Compromised US Government Webpage Used Zero-Day Exploit

Compromised US Government Webpage Used Zero-Day Exploit

  • Posted on:May 5, 2013 at 9:49 pm
  • Posted in:Exploits, Malware
  • Author:
    Dexter To (Network Threat Researcher)
0

A new Internet Explorer zero-day exploit has been spotted in a compromised website of the US Department of Labor.

When users visit the compromised website, it loads a malicious script which Trend Micro detects as JS_DLAGENT.USR. This particular script was hosted on the compromised site itself. It loads another script (this time, hosted on a malicious server) detected as JS_KILLAV.AA.

Once executed, JS_KILLAVA.AA obtains specific information from the infected machine such as the installed Adobe Reader and Flash version as well as security applications and browsers. It then initiates a series of redirections, which ultimately leads to malicious websites, including one that leads to the exploit code, which we detect as JS_EXPLOIT.MEA.

This particular exploit is relatively limited in scope; according to the Microsoft bulletin only Internet Explorer 8 is affected by this vulnerability. For Windows XP users, this is the current version of IE available; both Vista and Windows 7 users have newer versions available. Once exploited, it can execute code on the infected systems. In this case, it downloads BKDR_POISON.MEA, which is a variant of the remote access Trojan (RAT) PoisonIvy commonly used in high-profile targeted attacks.

Poison Ivy, also known as POISON,  has been associated with the infamous Nitro attacks that started last July 2011 and targeted certain non-governmental organizations. This RAT, which is available in the underground cybercrime, was also used in the widely-known RSA security breach in 2011.

Based on our investigation, a number of malicious domains were also appended to the said government webpage in the past, most of which lead users into dubious ad sites. We noted that some of these appear as spam hyperlinks advertising fake pharmaceutical products. Apart from this US government page, we also noted another local government site that still contains one of these spam hyperlinks.

This is just the latest in a series of high-profile zero-day attacks to hit users since the start of the year. These exploits are used to deliver a wide variety of attacks, from REVETON, to ransomware, or to Poison Ivy, as was the case in this attack.

We are working with Microsoft to provide protection for our users, as well as monitoring for other threats that use this exploit. We will update this thread with more information as it becomes available.

Update as of 6:30 PM PDT, May 6, 2013

We have released the following Deep Security rule to mitigate any attacks that use this threat

  • 1005491 – Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-1347)

Update as of 6:30 PM PDT, May 8, 2013

Microsoft has updated their advisory to include a “Fix it” tool that serves as a workaround for the vulnerability. While it prevents known attacks from running exploit code, it is not yet a full patch, which will be released at a later time. The tool can be found here.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: ExploitInternet ExplorerJavasecurity breachsecurity rounduptrend microUS Department of Laborzero day

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.