Dell SonicWALL UTM Research team received reports of a new zero day exploit targeting Internet Explorer being employed in watering hole attacks. These attacks target a use-after-free vulnerability in Internet Explorer version 8 running on Windows XP or Windows 7 operating systems. Versions 6 and 7 of Internet Explorer are also vulnerable to this exploit but were not targetted in this attack. This vulnerability is documented under CVE-2012-4792 and Microsoft has released an advisory for it.
A watering hole attack involves planting exploits and payload on compromised sites which are likely to be visited by the victims being targetted. In this case, the site of a think tank headquartered in the US and an organization selling energy generation equipment also headquartered in the US were compromised and the exploits were loaded on to their sites. The attacks were targetting visitors of these sites with a Backdoor Trojan.
The exploit is attempted using an SWF and multiple Javascript components. The exploit is only attempted if the flash plugin is installed, IE version is 8, speicifc language packs are installed and Java version 6 is installed. On successful exploit, it leads to the download and execution of a Backdoor Trojan.
The initial DLL payload is XOR'ed using the key '0x83' and is decrypted by the SWF component. This in turn drops a Backdoor Trojan which does the following:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
Share This Article
An Article By
An Article By
Security News
Security News