11:00 ET, 20 February 2014

Security researchers from FireEye have recently  discovered a new IE 10 Zero-Day exploit being used in a watering hole attack.

Security experts at FireEye discovered a new IE 10 Zero-Day exploit (CVE-2014-0322) being used in a watering hole attack on the US Veterans of Foreign Wars (VFW) website. The zero-day allows the attacker to modify one byte of memory at an arbitrary address, the hackers exploit it to perform following actions:

  • Gain access to memory from Flash ActionScript, bypassing address space layout randomization (ASLR)
  • Pivot to a return-oriented programing (ROP) exploit technique to bypass data execution prevention (DEP)

The hacking campaign was codenamed “Operation SnowMan” by FireEye, the hackers seems to be linked to the authors of the operations DeputyDog and Ephemeral Hydra discovered in last months. The hackers are responsible for numerous attackers against different industries, including US Government offices, defense contractors and Japanese firms.

“The proven ability to successfully deploy a number of different private and public RATs using zero-day exploits against high-profile targets likely indicates that this actor(s) will continue to operate in the mid to long-term,” reports FireEye.

The attackers, that seems to be operating out of China,  targets IE 10 with Adobe Flash. The hackers injected an iframe to the VFW site’s code that loads the attacker’s page in the background, the malicious code allows execution of Flash object used to perform further operations and compromise the machine.

“After compromising the VFW website, the attackers added an iframe into the beginning of the website’s HTML code that loads the attacker’s page in the background. The attacker’s HTML/JavaScript page runs a Flash object, which orchestrates the remainder of the exploit. The exploit includes calling back to the IE 10 vulnerability trigger, which is embedded in the JavaScript.  Specifically, visitors to the VFW website were silently redirected through an iframe to the exploit at www.[REDACTED].com/Data/img/img.html.”

The “watering hole” refers the practices to inject malicious code onto the public Web pages of a site that the targets use to visit.  The attackers don’t compromise indiscriminately any website, but they are focused, choosing websites within a particular industry. The technique results ideal to compromise selected targets, individuals or limited communities, that search for specific contents proposed by website used to deliver malicious code.

The Number of watering hole attacks is increasing, most of them based on well-known exploit kit, in May 2013 the Indian Gov website was compromised with the same technique serving  the Black Hole exploit.

Typically attackers use to compromise legitimate websites with a “drive-by” exploit, watering hole technique has been observed since 2009 when civil society organizations were attacked  with this method and used as a channel to deliver 0-day exploit to specific targets.

The efficiency of watering hole attacks increase with the use made by attackers of zero-day exploits that affect victim’s software, in this case victims has no way to protect their systems from the malware diffusion.

Once a victim visits the page on the compromised website a backdoor trojan is installed on his computer, the watering hole method of attacks is very common for cyber espionage operation or state sponsored attacks as confirmed by FireEye. Governments are the primary buyers for zero-day exploits that are used to compromise a victim’s machine remaining uncovered for long periods, the capability to stay hidden during the time is determinant for the success of the attack. Watering hole attacks were a favorite attack method for groups operating out of Russia and China.

“A possible objective in the SnowMan attack is targeting military service members to steal military intelligence,”  “In addition to retirees, active military personnel use the VFW website. It is probably no coincidence that Monday, Feb. 17, is a U.S. holiday, and much of the U.S. Capitol shut down Thursday amid a severe winter storm.” FireEye reported in the official blog post.

Key findings in the attack include:

The vulnerability (CVE-2014-0322) is a previously unknown use-after-free vulnerability in Microsoft Internet Explorer 10.

Because the vulnerability allows attackers to modify memory to an arbitrary address, the attacker can use it to bypass ASLR.

Exploitation is aborted if the user is browsing with a different version of IE or has installed Microsoft’s Experience Mitigation Toolkit (EMET).

The exploit dropped an XOR (0×95) payload that executed a ZxShell backdoor (MD5: 8455bbb9a210ce603a1b646b0d951bce).

The compile date of the payload was 2014-02-11, and the last modified date of the exploit code was also 2014-02-11.

The particular variant of the ZxShell backdoor called back to a command and control server located at newss[]effers[]com.., which at the time of publishing resolves to The domain info[.]flnet[.]org also resolved to this IP address on 2014-02-12.

Pierluigi Paganini

(Editor-In-Chief, CDM)