14 DAY TRIAL // Last week, FireEye researchers warned about a watering hole attack that exploited an Internet Explorer zero-day in order to deliver malware. The exploit was identified on a hacked US-based website set up for a drive-by download attack.
The vulnerability exploited in this attack is designed to specifically target the English versions of Internet Explorer 7 and 8 running on Windows XP, and Internet Explorer 8 running on Windows 7. However, experts warn that the security hole in question actually impacts IE variants between 7 and 10.
After further analyzing the malicious campaign, FireEye researchers have determined that the attacks are actually the work of an advanced persistent threat (APT) group that uses the same infrastructure as the actors behind Operation DeputyDog. Operation DeputyDog started in August 2013 and targeted Japanese organizations.
The new operation, dubbed Operation Ephemeral Hydra, is very interesting. That’s because the malware served through the IE exploit is not written to the disk, but directly into memory.
According to experts, this indicates that the attackers are confident in their resources and skills. The fact that the payload is injected directly into memory has both advantages and disadvantages.
The advantage of using such a non-persistent payload is that it makes it more difficult for targeted organizations to protect their networks and identify infected computers.
On the other hand, a piece of malware that’s written directly into memory has to achieve its goals before the computer is rebooted. When a device is restarted, the content of volatile memory, including the malware, is erased.
As far as the malware is concerned, the threat is a variant of Hydraq/McRAT, identified as Trojan.APT.9002.
The website on which it has been planted has not been named by FireEye. However, researchers warn that it’s a “strategically important” site that’s mostly visited by users interested in both national and international security policy.
Update. Microsoft say it will address this Internet Explorer vulnerability with the upcoming security updates.