​South Korea victim of Internet Explorer zero-day vulnerability

Research from Symantec has revealed that the Internet Explorer Scripting Engine Remote Memory Corruption Vulnerability was used in targeted attacks in South Korea.
Written by Asha Barbaschow, Contributor

Security firm Symantec has reported that South Korea has been affected by targeted attacks that exploited an Internet Explorer zero-day vulnerability.

According to a post on the company's blog, attackers were able to use an exploit -- dubbed Microsoft Internet Explorer Scripting Engine Remote Memory Corruption Vulnerability CVE-2016-0189 -- to execute an arbitrary code.

"They may have distributed the exploit through a link included in a spear-phishing email or a compromised, legitimate website that redirected users to the exploit," the blog explains.

Symantec said the exploit's landing page contained JavaScript code that profiled the computer belonging to the user visiting the site, with the code then checking if the computer was a virtual machine, and determining which version of Internet Explorer, Flash, and Windows was running on the computer.

The security firm said the information was then sent back to a South Korean website.

"The JavaScript then delivered the exploit in an obfuscated VBScript file. If the exploit succeeded, it downloaded a malicious file from a .co.kr website," Symantec wrote.

"Once the file was downloaded, the exploit code decrypted it by XORing the file with the value 0x55164975. The file was then saved to the computer as %Temp%\rund11.dll. The final payload is unknown at this time."

Internet Explorer 9, 10, and 11 were exposed to CVE-2016-0189 which was fixed by Microsoft in its latest Patch Tuesday release. Attackers targeting South Korea took advantage of the zero-day vulnerability before the computer giant patched it.

According to Symantec, South Korea introduced a law in 1999 that required online vendors to adopt Microsoft ActiveX to use the region's SEED cipher for transactions. With Internet Explorer being the only browser to support ActiveX, Symantec said users in the country still tend to rely on the browser.

"The motivations of attacks affecting South Korean organisations often involve espionage or sabotage," Symantec said. "Attackers have been observed targeting South Korean entities to gain remote access to their computers, steal sensitive data, or wipe hard drives."

Editorial standards