Last week’s patch of a Microsoft Internet Explorer vulnerability allowing remote code execution, which had lain undiscovered for almost 20 years, has prompted significant interest among cyber-attackers. Earlier this week ESET researchers spotted the first proof-of-concept showing the CVE-2014-6332 vulnerability, or 'Unicorn Bug', in action. More about this topic is now available on WeLiveSecurity.com.
Following original research by a Chinese researcher, the proof-of-concept shows that by using this vulnerability attackers can run arbitrary code on any remote machine and, moreover, bypass various anti-exploitation tools. The same Chinese researcher also found out that arbitrary code could also run on a machine with unpatched Internet Explorer that visit a specially crafted website. ESET researchers started looking for such websites.
“It was only a matter of time before we started seeing this vulnerability actively used as part of a cybercriminal campaign. Scouring our data, we found several blocked exploitation attempts while our users were browsing a major Bulgarian website. As you might have guessed, the compromised website was using CVE-2014-6332 to install malware on the computers of its unsuspecting visitors,” explain ESET researchers on WeLiveSecurity.com.
The website in question, a news site ranked among the top 50 websites in Bulgaria, has only one compromised page –about TV reality show winners. The exploit, detected by ESET as Win32/Exploit.CVE-2014-6332.A, consists of two different payloads – the first a series of commands; the second a PowerShell to download a binary payload, both with the same content.
Read more about this malware and how you can protect against it on WeLiveSecurity.com.
About ESET
Since 1987, ESET® has been developing record award-winning security software that now helps over 100 million users to Enjoy Safer Technology. Its broad security product portfolio covers all popular platforms and provides businesses and consumers around the world with the perfect balance of performance and proactive protection. The company has a global sales network covering 180 countries, and regional offices in Bratislava, San Diego, Singapore and Buenos Aires. For more information visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.