What makes cybercriminals more notorious is that they do not stay idle. They keep themselves busy in improving their game and formulating newer methods to trap their preys. A case in point is a recent observation made by Quick Heal Labs where attackers are using a new open source exploit called ‘CVE-2016-0189’ for Internet Explorer. In this malicious campaign, attackers are using exploits of Microsoft Office and Internet Explorer in a single email instead of multiple ones. This campaign was active in August 2016 and was found to be targeting some private organizations in India.
What is the reason behind using multiple exploits in one email?
To increase the success rate of exploitation and execution of the delivered malware on the victim’s machine against security vulnerabilities present in Internet Explorer and Microsoft Office.
A mashup of different exploits to cause double damage
In this campaign, attackers combined an Internet Explorer exploit called ‘CVE-2016-0189’ with old Microsoft Office exploits called ‘CVE-2012-0158’ and ‘CVE-2015-2545’. This was done for to increase the chances of a reliable execution of the malware.
How does this attack begin?
The victim receives an email containing HTML and RTF files as attachments (fig 1).
If the receiver’s computer has an unpatched (outdated) version of Microsoft Office or Internet Explorer, then opening the attached files exploit the vulnerabilities in these applications, downloading and executing the malware on the victim’s machine.
Both the RTF and HTML exploit download the malware payload from the same URL path.
Some of the URLs used for downloading the malware are as follows:
Quick Heal detects the downloaded malware as “TrojanPWS.ZBot” and “Trojan.Dynamer”. These are designed to steal sensitive information stored on the infected machine and they can also download and install other malware components.
Download the PDF file below for the technical analysis of this campaign
How to stay safe against such attacks