IE zero-day attack delivers malware into memory then poofs on reboot

A new IE zero-day exploit spotted in the wild is hosted on a hacked U.S. website that is being used for drive-by download attacks that deliver malware into memory and then disappear upon reboot.

On Friday, security researchers at FireEye identified a new IE zero-day exploit hosted on a hacked U.S. website that is being used for targeted drive-by download attacks. The malware exploiting IE is injected directly into PC memory instead of being written to disk; the campaign has been dubbed Operation Ephemeral Hydra. While the U.S. website has not yet been named, FireEye warned that "attackers inserted this zero-day exploit into a strategically important website, known to draw visitors that are likely interested in national and international security policy."

And no, this is not the same TIFF image zero-day vulnerability (CVE-2013-3906) that Microsoft warned about last week. However, FireEye also warned that the "zero-day exploit (CVE-2013-3906) is more widespread than previously believed" and is currently being used by at least two hacker groups in "both targeted attacks and crimeware campaigns."

The newest IE zero-day is being used in a watering hole attack; it's a targeted drive-by-download that silently infects vulnerable PCs if users visit an infected website. There are two vulnerabilities in IE currently being exploited in the wild and "the exploit leverages a new information leakage vulnerability and an IE out-of-bounds memory access vulnerability to achieve code execution."

While the vulnerability to retrieve the timestamp "affects Windows XP with IE 8 and Windows 7 with IE 9," the "memory access vulnerability is designed to work on Windows XP with IE 7 and 8, and on Windows 7." The researchers explained, "The exploit targets the English version of Internet Explorer, but we believe the exploit can be easily changed to leverage other languages. Based on our analysis, this vulnerability affects IE 7, 8, 9, and 10. This actual attack of this memory access vulnerability can be mitigated by EMET per Microsoft's feedback."

After more in-depth analysis, FireEye claimed, "The attackers loaded the payload used in this attack directly into memory without first writing to disk - a technique not typically used by advanced persistent threat (APT) actors. This technique will further complicate network defenders' ability to triage compromised systems, using traditional forensics methods."

The "payload has been identified as a variant of Trojan.APT.9002 (aka Hydraq/McRAT variant) and runs in memory only. It does not write itself to disk, leaving little to no artifacts that can be used to identify infected endpoints. Specifically, the payload is shellcode, which is decoded and directly injected into memory after successful exploitation via a series of steps."

The fact that the attackers used a non-persistent first stage payload suggests that they are confident in both their resources and skills. As the payload was not persistent, the attackers had to work quickly, in order to gain control of victims and move laterally within affected organizations. If the attacker did not immediately seize control of infected endpoints, they risked losing these compromised endpoints, as the endpoints could have been rebooted at any time - thus automatically wiping the in-memory Trojan.APT.9002 malware variant from the infected endpoint.

Alternatively, the use of this non-persistent first stage may suggest that the attackers were confident that their intended targets would simply revisit the compromised website and be re-infected.

FireEye was able to identify "relationships between the infrastructure used in this [newest IE zero-day] attack and that used in Operation DeputyDog." Operation DeputyDog began in August 2013 and targeted organizations in Japan. The security firm also found strings that were used when Bit9 was hit; Bit9 previously noted that "Trojan.APT.9002 (aka Hydraq/McRAT) was also used in the original Operation Aurora campaign."

Although FireEye is collaborating with the Microsoft Security team, it is also warning the public about Operation Ephemeral Hydra. Companies are advised to installed EMET (Enhanced Mitigation Experience Toolkit) to protect systems from both this newest IE zero-day threat and the TIFF image zero-day vulnerability for which Microsoft also provided a Fix-It.  

FireEye Labs concluded, "By utilizing strategic web compromises along with in-memory payload delivery tactics and multiple nested methods of obfuscation, this campaign has proven to be exceptionally accomplished and elusive."

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2013 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations