Windows HCP Vulnerability Exploited in Sophisticated Attack

Symantec has intercepted a highly sophisticated attack against two defense contractors, which leveraged the unpatched Windows Help Center vulnerability disclosed earlier this month. Complex social engineering techniques were also used to trick their employees into opening a malicious link.

The attack started with the hacker compromising the website of one defense contractor and creating a directory called "press release" on the server. A web page, an obfuscated JavaScript file and a binary were then dropped in this folder.

The web page contained code for inspecting the User-Agent header field and extracting the operating system and browser information. An exploit was then loaded if the visitor used IE7, IE8 or Firefox on Windows XP. A secondary check made sure that a different exploit got served if the browser was Firefox.

"In either case the attacker attempts to get the browser to download a second file from the same website. This file contains two levels of obfuscated Javascript that exploits the Microsoft Help vulnerability discovered on June 9th," Martin Lee, a senior malware analyst at Symantec Hosted Services, explains.

In case of successful exploitation, the binary file, which was being stored with a .txt extension on the server, got downloaded and executed by invoking an ActiveXObject. The Symantec researcher doesn't name the malware used in the attack, but notes that it is capable of receiving instructions remotely.

Once this whole setup was in place, the attacker researched a second defense contractor in order to identify a few email addresses belonging to its employees. He then sent them a crafted email claiming that the CEO of the first company was arrested by the FBI for violating export regulations. The email contained a link to the fake press release page on the primary defense contractor's website.

Companies working under Defense Department contracts are considered high profile targets, due to the nature of the information they work with. Back in January, Finnish antivirus vendor F-Secure, revealed that several defense contractors were the target of an attack using malicious PDF documents.