Experts Identify IE Exploit on Indian Defense Site, Find Link to PlugX RAT


Most security firms are currently busy analyzing the latest Internet 

Explorer (IE) zero-day exploit. One of these companies is AlienVault 

which has not only found websites that host the malicious code, but it has

 also uncovered a connection to the PlugX RAT.

Experts have identified a new version of the moh2010.swf Flash file utilized in the attacks that leverage the IE exploit. Their analysis led them to a file called Nv.exe which is used by Nvidia for several of its applications. 
As it turns out, the cybercriminals are relying on Nv.exe to load a DLL file which executes the binary content of another component named Nv.mp3. 

The malicious payload present in this Nv.mp3 file is actually a version of the PlugX Remote Administration Trojan (RAT). 

“We know that the group actively using the PlugX malware also called Flowershow had access to the Internet Explorer ZeroDay days before it was uncovered. Due tot he similarities of the new discovered exploit code and the one discovered some days ago it is very likely that the same group is behind both instances,” Jamie Blasco of AlienVault explained.

Researchers also uncovered two more websites that appeared to be serving variants of the zero-day exploit a few days ago. One of them is India’s main Defense News Portal and the other one is a fake domain set up to replicate the site of the 2nd International LED professional Symposium +Expo. 

The genuine website for the LED professional Symposium (LpS) is led-professional-symposium.com and the crooks set up a domain called led-professional-symposium.org.

The fact that these particular websites have been targeted leads researchers to believe that these attacks are focused on specific industries. More precisely, cybercriminals may try to gather information from a specific sector by launching spear-phishing campaigns.


JOIN US ON FACEBOOK:- CLICK HERE

Comments

Popular posts from this blog

AntiCloud Trojan Reverse Engineering Analysis

SQL Injection: The Equal Opportunity Vulnerability

Secure Sockets Layer (SSL)