New IE exploit variant used to distribute PlugX malware, researchers say

A variant of the recently discovered Internet Explorer exploit was identified by researchers from AlienVault

Researchers from security vendor AlienVault have identified a variant of a recently discovered Internet Explorer exploit that is used to infect targeted computers with the PlugX remote access Trojan (RAT) program.

The newly discovered exploit variant targets the same unpatched vulnerability in IE 6, 7, 8 and 9 as the original exploit, but uses slightly different code and has a different payload, AlienVault Labs manager Jaime Blasco said Tuesday in a blog post.

The first exploit was found over the weekend on a known malicious server by security researcher Eric Romang and distributed the Poison Ivy RAT. The second exploit version discovered by AlienVault researchers was found on a different server and installs a much newer RAT program called PlugX.

However, file modification dates seen on both servers suggest that both versions of the exploit have been in use since at least Sep. 14.

"We know that the group actively using the PlugX malware also called Flowershow had access to the Internet Explorer ZeroDay [exploit targeting an unpatched vulnerability] days before it was uncovered," Blasco said. "Due to the similarities of the new discovered exploit code and the one discovered some days ago it is very likely that the same group is behind both instances."

AlienVault researchers have been tracking attacks that use the PlugX RAT since earlier this year. Based on file debug paths found inside the malware, they believe that the relatively new RAT was developed by a Chinese hacker known as WHG, who had previous ties with the Network Crack Program Hacker (NCPH), a well known Chinese hacker group.

AlienVault researchers have also identified two additional websites that served the new IE exploit in the past, but no payload could be obtained from them, Blasco said. One was a defense news site from India and the other was probably a fake version of the 2nd International LED professional Symposium website, he said.

"It seems the guys behind this 0day were targeting specific industries," Blasco said.

The server where the original IE exploit was found also stored an exploit for an unpatched Java vulnerability last month. That Java exploit was used in attacks attributed by security researchers to a Chinese hacker group dubbed "Nitro."

Microsoft already released a security advisory about the new IE vulnerability and recommended temporary mitigation solutions while it works on a patch.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Father’s Day Gift Guide

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?