Last week’s patch of a Microsoft Internet Explorer vulnerability allowing remote code execution, which had lain undiscovered for almost 20 years, has prompted significant interest among cyber-attackers. Earlier this week ESET researchers spotted the first proof-of-concept showing the CVE-2014-6332 vulnerability, or 'Unicorn Bug', in action. More about this topic is now available on WeLiveSecurity.com.
Following original research by a Chinese researcher, the proof-of-concept shows that by using this vulnerability attackers can run arbitrary code on any remote machine and, moreover, bypass various anti-exploitation tools. The same Chinese researcher also found out that arbitrary code could also run on a machine with unpatched Internet Explorer that visit a specially crafted website. ESET researchers started looking for such websites.
“It was only a matter of time before we started seeing this vulnerability actively used as part of a cybercriminal campaign. Scouring our data, we found several blocked exploitation attempts while our users were browsing a major Bulgarian website. As you might have guessed, the compromised website was using CVE-2014-6332 to install malware on the computers of its unsuspecting visitors,” explain ESET researchers on WeLiveSecurity.com.
The website in question, a news site ranked among the top 50 websites in Bulgaria, has only one compromised page –about TV reality show winners. The exploit, detected by ESET as Win32/Exploit.CVE-2014-6332.A, consists of two different payloads – the first a series of commands; the second a PowerShell to download a binary payload, both with the same content.
Read more about this malware and how you can protect against it on WeLiveSecurity.com.