Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Just-Patched Internet Explorer Flaw Used in Watering Hole Attacks

Malicious actors have leveraged the critical Internet Explorer vulnerability patched by Microsoft on Tuesday to deliver a piece of malware through various legitimate websites, including the one of a Hong Kong church.

Malicious actors have leveraged the critical Internet Explorer vulnerability patched by Microsoft on Tuesday to deliver a piece of malware through various legitimate websites, including the one of a Hong Kong church.

When it released the emergency patch for the memory corruption flaw (CVE-2015-2502) on August 18, Microsoft warned that the weakness had been exploited in the wild. One day after the remote code execution vulnerability was addressed, security firms Heimdal Security and Symantec reported seeing watering hole attacks in which malicious actors leveraged the bug to deliver the PlugX remote access Trojan (RAT), also known as Korplug.

According to Symantec, the attackers compromised the website of the Evangelical Lutheran Church of Hong Kong and set it up to host a malicious iframe designed to redirect visitors to a site ( hosting the Internet Explorer exploit.

Users who land on this website are served a file called “java.html,” which installs PlugX on their computers.

Heimdal Security, which was the first to report the attack, noted that the command and control (C&C) server used in the operation is hosted by Korean hosting company EhostIDC. The security firm said the same server was used in the past 6 months in advanced persistent threat (APT) attacks involving PlugX.

Antivirus detection rates for the exploit and the payload are low, Heimdal said on Wednesday.

“The CVE-2015-2502 exploit attack carried out yesterday happened very quickly and with a complex attack method, using compromised legitimate sites to deliver malware. With the ambition of stealing valuable information, attackers have moved quickly to deliver korplug malware onto systems vulnerable to the IE exploit,” Morten Kjaersgaard, CEO of Heimdal Security, told SecurityWeek. “How many systems have been compromised is impossible to say at this point.”

“What we have seen with this attack targeted toward the IE exploit and as a general trend lately is, that hackers are moving faster to utilize new exploits and get their malware inside vulnerable system,” Kjaersgaard added.

The PlugX RAT has been observed in numerous attacks since 2012, particularly ones launched by Chinese threat actors. In November 2014, ESET reported spotting the malware in a cyber espionage campaign aimed at Russian, Afghan and Tajik military and diplomats. Earlier this year, Citizen Lab reported spotting PlugX being used to target Tibetan diaspora and Hong Kong pro-democracy groups.

Related Reading: China Cybergang Using Hacking Team Exploits Against Financial Firm

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.