Security Experts:

Just-Patched Internet Explorer Flaw Used in Watering Hole Attacks

Malicious actors have leveraged the critical Internet Explorer vulnerability patched by Microsoft on Tuesday to deliver a piece of malware through various legitimate websites, including the one of a Hong Kong church.

When it released the emergency patch for the memory corruption flaw (CVE-2015-2502) on August 18, Microsoft warned that the weakness had been exploited in the wild. One day after the remote code execution vulnerability was addressed, security firms Heimdal Security and Symantec reported seeing watering hole attacks in which malicious actors leveraged the bug to deliver the PlugX remote access Trojan (RAT), also known as Korplug.

According to Symantec, the attackers compromised the website of the Evangelical Lutheran Church of Hong Kong and set it up to host a malicious iframe designed to redirect visitors to a site (115.144.107.55) hosting the Internet Explorer exploit.

Users who land on this website are served a file called “java.html,” which installs PlugX on their computers.

Heimdal Security, which was the first to report the attack, noted that the command and control (C&C) server used in the operation is hosted by Korean hosting company EhostIDC. The security firm said the same server was used in the past 6 months in advanced persistent threat (APT) attacks involving PlugX.

Antivirus detection rates for the exploit and the payload are low, Heimdal said on Wednesday.

"The CVE-2015-2502 exploit attack carried out yesterday happened very quickly and with a complex attack method, using compromised legitimate sites to deliver malware. With the ambition of stealing valuable information, attackers have moved quickly to deliver korplug malware onto systems vulnerable to the IE exploit,” Morten Kjaersgaard, CEO of Heimdal Security, told SecurityWeek. “How many systems have been compromised is impossible to say at this point.”

"What we have seen with this attack targeted toward the IE exploit and as a general trend lately is, that hackers are moving faster to utilize new exploits and get their malware inside vulnerable system,” Kjaersgaard added.

The PlugX RAT has been observed in numerous attacks since 2012, particularly ones launched by Chinese threat actors. In November 2014, ESET reported spotting the malware in a cyber espionage campaign aimed at Russian, Afghan and Tajik military and diplomats. Earlier this year, Citizen Lab reported spotting PlugX being used to target Tibetan diaspora and Hong Kong pro-democracy groups.

Related Reading: China Cybergang Using Hacking Team Exploits Against Financial Firm

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.