Tweet

A new Internet Explorer zero-day exploit has been spotted in a compromised website of the US Department of Labor.

When users visit the compromised website, it loads a malicious script which Trend Micro detects as JS_DLAGENT.USR. This particular script was hosted on the compromised site itself. It loads another script (this time, hosted on a malicious server) detected as JS_KILLAV.AA.

Once executed, JS_KILLAVA.AA obtains specific information from the infected machine such as the installed Adobe Reader and Flash version as well as security applications and browsers. It then initiates a series of redirections, which ultimately leads to malicious websites, including one that leads to the exploit code, which we detect as JS_EXPLOIT.MEA.

This particular exploit is relatively limited in scope; according to the Microsoft bulletin only Internet Explorer 8 is affected by this vulnerability. For Windows XP users, this is the current version of IE available; both Vista and Windows 7 users have newer versions available. Once exploited, it can execute code on the infected systems. In this case, it downloads BKDR_POISON.MEA, which is a variant of the remote access Trojan (RAT) PoisonIvy commonly used in high-profile targeted attacks.

Poison Ivy, also known as POISON,  has been associated with the infamous Nitro attacks that started last July 2011 and targeted certain non-governmental organizations. This RAT, which is available in the underground cybercrime, was also used in the widely-known RSA security breach in 2011.

Based on our investigation, a number of malicious domains were also appended to the said government webpage in the past, most of which lead users into dubious ad sites. We noted that some of these appear as spam hyperlinks advertising fake pharmaceutical products. Apart from this US government page, we also noted another local government site that still contains one of these spam hyperlinks.

This is just the latest in a series of high-profile zero-day attacks to hit users since the start of the year. These exploits are used to deliver a wide variety of attacks, from REVETON, to ransomware, or to Poison Ivy, as was the case in this attack.

We are working with Microsoft to provide protection for our users, as well as monitoring for other threats that use this exploit. We will update this thread with more information as it becomes available.

Update as of 6:30 PM PDT, May 6, 2013

We have released the following Deep Security rule to mitigate any attacks that use this threat

• 1005491 – Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-1347)

Update as of 6:30 PM PDT, May 8, 2013

Microsoft has updated their advisory to include a “Fix it” tool that serves as a workaround for the vulnerability. While it prevents known attacks from running exploit code, it is not yet a full patch, which will be released at a later time. The tool can be found here.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.