Paul Baccas, a researcher at SophosLabs, has uncovered two new sites which have been hit by the recently-discovered Internet Explorer zero-day remote code execution vulnerability.
The attacks bear all the hallmarks of previous infections spread by the so-called Elderwood Project.
First up is a website serving the Uyghur people of East Turkestan:
A folder called “netyanus” had been created on the website, containing the following files:
The website has since been cleaned-up of its malware infection, but clearly whoever infected it had an interest in infecting anyone who visited the site.
Sophos products detect the HTML files as Exp/20124792-B.
The file news.html (detected as Exp/20124792-B) decodes the obfuscated zero-day exploit code inside robots.txt, and executes it.
Sophos products detect the SWF file as Troj/SWFExp-BF, the remaining HTML file as Exp/20124792-B, and the obfuscated code hidden inside xsainfo.jpg as the Troj/Agent-ZMC Trojan horse.
As there is currently no proper patch for the Internet Explorer security vulnerability, chances are that a good proportion of people visiting the Uyghur site could have ended up with their computers becoming infected.
If you weren’t aware, the Uyghur people of East Turkestan have, like the inhabitants of Tibet, long campaigned for independence from the People’s Republic of China and complained about persecution.
At the same time, SophosLabs discovered another infected website – this time, it’s the website of an Iranian oil company, based in Tehran.
At the time of writing, the Iranian website is still carrying an infection so we have obscured some of its details in the image above.
On this occasion, the files implanted by hackers code take the following form:
Hopefully, if you have been paying attention, some of those filenames will look familiar to you.
You may not be in the habit of visiting websites associated with the Uyghur people, or checking out the websites of Iranian oil firms… but clearly some people and organisations may visit such sites, and could be at risk of having their computers silently infected as a result.
All the same, until a proper patch is pushed out by Microsoft, Internet Explorer users are potentially at risk from attacks which exploit this vulnerability and should take care to ensure that they have layered defences in place to minimise the risk.Follow @gcluley
Alert image courtesy of Shutterstock.