Most security firms are currently busy analyzing the latest Internet Explorer (IE) zero-day exploit. One of these companies is AlienVault which has not only found websites that host the malicious code, but it has also uncovered a connection to the PlugX RAT.
Experts have identified a new version of the moh2010.swf
Flash file utilized in the attacks that leverage the IE exploit. Their analysis led them to a file called Nv.exe
which is used by Nvidia for several of its applications.
As it turns out, the cybercriminals are relying on Nv.exe
to load a DLL file which executes the binary content of another component named Nv.mp3.
The malicious payload present in this Nv.mp3
file is actually a version of the PlugX Remote Administration Trojan (RAT).
“We know that the group actively using the PlugX malware also called Flowershow had access to the Internet Explorer ZeroDay days before it was uncovered. Due tot he similarities of the new discovered exploit code and the one discovered some days ago it is very likely that the same group is behind both instances,” Jamie Blasco of AlienVault explained
Researchers also uncovered two more websites that appeared to be serving variants of the zero-day exploit a few days ago. One of them is India’s main Defense News Portal and the other one is a fake domain set up to replicate the site of the 2nd International LED professional Symposium +Expo.
The genuine website for the LED professional Symposium (LpS) is led-professional-symposium.com
and the crooks set up a domain called led-professional-symposium.org.
The fact that these particular websites have been targeted leads researchers to believe that these attacks are focused on specific industries. More precisely, cybercriminals may try to gather information from a specific sector by launching spear-phishing campaigns.