14 DAY TRIAL // Microsoft released today security fixes for some of its products as part of its Patch Tuesday update cycle. One of the patches is an Internet Explorer zero-day vulnerability that was exploited in drive-by downloads from South Korean websites.
The vulnerability in question is CVE-2016-0189, a security flaw described by Microsoft as a "Scripting Engine Memory Corruption Vulnerability" that affects Internet Explorer 9, 10 and 11, and also Internet Explorer 11 running on Windows 10.
The vulnerability also affects users running Microsoft JScript 5.8 and 5.7 and Microsoft VBScript 5.8. Microsoft's MS16-051 and MS16-053 security bulletins provide more details.
Phishing emails led to websites hosting drive-by downloads
According to security firm Symantec, the company identified a malicious group sending spear-phishing emails that contained a link to a .co.kr domain.
Symantec says this domain included JavaScript code that actively searched for vulnerable Internet Explorer, Flash, and Windows versions. If an attractive target was identified, the website would deliver an obfuscated VBScript file to the user's browser.
The VBScript file would automatically execute, and by taking advantage of the zero-day, would download a malicious file named rund11.dll in the user's Temp folder. Symantec says it did not manage to identify what this malicious file would do after this point.
South Korea is a regular target of cyber-espionage campaigns
Security experts said that this attack was obviously aimed at South Koreans alone.
"The Internet Explorer zero-day attack impacted South Korea, which is known to rely on this web browser. In 1999, South Korea introduced a law that required online vendors to adopt Microsoft ActiveX to use the region’s SEED cipher for transactions. Internet Explorer is the only browser to support ActiveX." Symantec noted. "While South Korea has since planned to scrap this regulation, the region is still heavily dependent on this web browser."
In the past few months, South Korea has been the target of multiple cyber-espionage campaigns. Last October, Symantec discovered a cyber-espionage campaign that was using the Duuzer backdoor trojan to spy on South Korean organizations in the manufacturing sector.
A month earlier, FireEye also reported on another campaign that leveraged another zero-day, this time in the South Korean-made Hangul Word Processor to target South Korean government employees.