IE Zero-Day Ephemeral Hydra
A new IE zero-day exploit has been discovered by researchers at FireEye. This exploit is interesting because of the unknowns: Without code to make the exploit persistent, we don’t know what the attacker is after.
It is like coming home to your door being wide open, you don’t know if the attacker is inside, or the intentions of who is in there, or if they have left what and if so what they took and why.
Given that the code was found on a website targeting national and international security policy, we can assume the targets are political. That we have not see anything to make the exploit persistent I would assume that the attackers are cherry picking their targets when devices connect back to the command and control server.
The code can send back data to the command and control server and based on IP range, network, username etc if a target looks high value they may then be executing further stages of the attack.
Instead of mass deploying a payload to all devices that connect to the compromised server giving away your tricks and allowing security researchers to pick apart the payload, it is much better to only hit the valuable targets with it, this helps mitigate the risk on the attackers side of being discovered and thwarted.
Although too soon to tell it looks like the issue is affecting only Internet Explorer. For this and a number of other reasons it would be best to avoid using IE and instead download another browser such as Chrome or Firefox.
Business organizations should also be monitoring any devices connecting to 126.96.36.199 as that appears to be at least the one known command and control server. The Trojan is also using non-HTTP protocols and HTTP Posts, so monitoring traffic leaving the network should be monitored closely if it isn’t already looking for signs of data exfiltration.