New IE exploit variant distributes PlugX malware, researchers say
A variant of the recently discovered Internet Explorer exploit was identified by researchers from AlienVault
IDG News Service - Researchers from security vendor AlienVault have identified a variant of a recently discovered Internet Explorer exploit that is used to infect targeted computers with the PlugX remote access Trojan (RAT) program.
The newly discovered exploit variant targets the same unpatched vulnerability in IE 6, 7, 8 and 9 as the original exploit, but uses slightly different code and has a different payload, AlienVault Labs manager Jaime Blasco said Tuesday in a blog post.
The first exploit was found over the weekend on a known malicious server by security researcher Eric Romang and distributed the Poison Ivy RAT. The second exploit version discovered by AlienVault researchers was found on a different server and installs a much newer RAT program called PlugX.
However, file modification dates seen on both servers suggest that both versions of the exploit have been in use since at least Sep. 14.
"We know that the group actively using the PlugX malware also called Flowershow had access to the Internet Explorer ZeroDay [exploit targeting an unpatched vulnerability] days before it was uncovered," Blasco said. "Due to the similarities of the new discovered exploit code and the one discovered some days ago it is very likely that the same group is behind both instances."
AlienVault researchers have been tracking attacks that use the PlugX RAT since earlier this year. Based on file debug paths found inside the malware, they believe that the relatively new RAT was developed by a Chinese hacker known as WHG, who had previous ties with the Network Crack Program Hacker (NCPH), a well known Chinese hacker group.
AlienVault researchers have also identified two additional websites that served the new IE exploit in the past, but no payload could be obtained from them, Blasco said. One was a defense news site from India and the other was probably a fake version of the 2nd International LED professional Symposium website, he said.
"It seems the guys behind this 0day were targeting specific industries," Blasco said.
The server where the original IE exploit was found also stored an exploit for an unpatched Java vulnerability last month. That Java exploit was used in attacks attributed by security researchers to a Chinese hacker group dubbed "Nitro."
Microsoft already released a security advisory about the new IE vulnerability and recommended temporary mitigation solutions while it works on a patch.
- Securing Mobility, From Device to Network At one time, the process of managing and securing mobile devices and applications was fairly straightforward. Most organizations worried about one application (email)...
- Data Protection eGuide In this eGuide, CSO and sister publications IDG News Service, Computerworld, and CIO pull together news, trend, and how-to articles about the increasingly...
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!