[ Sharing ] More ITW Exploitation of Internet Explorer ‘Unicorn bug’ found

These few days i have seen friends asking me whether i have seen any sites during work using CVE-2014-6332.
Sad to say, i can’t talk about work. So today i will talk about what i’ve seen during my free personal time.

[ How it starts ]
So what is this vulnerability known as CVE-2014-6332?
This is an interesting bug as it exploits Internet Explorer versions 3 through 11. This means that most if not all of Internet Explorer users are vulnerable unless they are using patched systems. It was first disclosed publicly by @yuange75 here back in 01st August 2014 : http://hi.baidu.com/yuange1975/item/c667f900cf0e2fc02e4c6bed
However he found it long long ago.

I guess it’s only a matter of time that “malware writers” start using this knowledge and use it as part of their cybercrime. I’m not from any AV companies nor ThreatIntel team selling “APT” news, but i do want more people to know that there are now several compromised website(s) that are using this CVE-2014-6332 vulnerability to install malware on the computers of its unsuspecting visitors.

[ Compromised Website details ]
The very first one that i found is from www[.]uyghurweb[.]net
The page source contains 2 interesting thing that caught my “eyes”.

The 1st one is “http://122[.]10[.]91[.]20/2013/frame.js” but it’s down when i tried to grab it.
The other being the other JavaScript(s) in the page.

The one that is more interesting is “js/udg.js” as it’s actually redirecting visitors to another website serving “CVE-2014-6332

As you can see, the exploit is hosted on the domain “http://www[.]owner[.]com[.]tw
If you have seen the source of “new.htm” as shown below.
owner.com.tw.01
It looks almost identical to the one shared by @yuange75. I suppose this malware writer is quite lazy to change anything to it.

I actually found a total of 7 but some are sensitive to be shared. One of it was disclosed by ESET here:
http://www.welivesecurity.com/2014/11/20/first-exploitation-of-unicorn-bug/
The other 3 non-sensitive sites that i’ve found are from:
http://finance[.]cedare[.]int/luz.htm
http://www[.]edicot[.]com/lulz.htm
http://www[.]e-ctasia[.]com/lulz.htm

But interestingly for these 3, all are showing “Hacked by LulzSec” and the following is found in the page source.

My guess is the first one is probably not related to the other 3. But one thing is for sure, there are more of these websites serving “CVE-2014-6332” as we speak.
I’ll probably blog about the payload later.

[ Conclusion ]
Although i do not have the mass amount of data as AV companies or ThreatIntel companies to offer IOC (Indicators of Compromise), but i guess if i can find a few website(s) within a week. I suppose it’s is just a matter of time before ExploitKit(s) integrate this vulnerability to their existing toolkit. Since most of the Internet Explorer versions were affected, I guess user(s) of Internet Explorer should just update IE NOW!!!!!.

Happy Reversing
Jacob Soo

Leave a Reply