IE zero-day is targeted, sophisticated

On Saturday, security company FireEye reported a zero-day attack against Internet Explorer. Sunday they followed up with more detail on the attack. They call the attack "the diskless 9002 RAT." RAT is Remote Access Trojan; this specific trojan is a variant of the earlier Trojan.APT.9002; we will explain "diskless" below.

The attack is a sophisticated one, and appears to be the work of the same gang that pulled off FireEye calls the recent Operation DeputyDog. Both attacks used command and control servers in the same domain (dll.freshdns.org).

The attack has the earmarks of a highly-targeted attack against a target on which the attackers have conducted some reconnaissance. FireEye adds "…the attackers inserted this zero-day exploit into a strategically important website, known to draw visitors that are likely interested in national and international security policy". There seems to be no reason to be concerned about widespread use of the attack for now.

FireEye seems most taken with the fact that this attack is non-persistent. Most APTs (Advanced Persistent Threats) write themselves to disk so that they can reload on reboot. Not the diskless 9002 RAT; it injects itself into memory and executes, but does not persist. This is why it is called diskless.

Disklessness makes the threat much harder to identify through forensic methods. It also means that attack may not live in the system long enough to accomplish its goal. FireEye speculates that either the attackers are confident that the targets will revisit the site often enough to get the job done or they expected that the attack would move laterally within the organization, hunting for their goal.

The attack also uses a new method of self-encryption which is more sophisticated than earlier versions of the Trojan.APT.9002.

FireEye says they are working with Microsoft on the threat, but Microsoft has not publicly acknowledged either the attack or the vulnerability behind it.