South Korea Under Internet Explorer Zero-Day Attack

The Symantec company has discovered an Internet Explorer zero-day vulnerability that was used in limited targeted attacks in South Korea. A blog post, published on the company’s website, stated that the exploit was hosted on a web page which would suggest the perpetrators used spear-phishing emails or watering hole attacks in order to compromise users.

The cyber criminals managed to get use of the Microsoft Internet Explorer Scripting Engine Remote Memory Corruption Vulnerability (CVE-2016-0189) before Microsoft could fix it in its latest Patch release.

The Symantec Security Response stated:
The exploit’s landing page contained JavaScript code that profiled the computer belonging to the user visiting the site. The code checked to see if the computer was a virtual machine, and determined which version of Internet Explorer, Flash, and Windows was running on the computer.

This information was then sent back to a website with South Korea’s top-level domain (TLD),, in the URL.

The JavaScript then delivered the exploit in an obfuscated VBScript file. If the exploit succeeded, it downloaded a malicious file from a website.”

Once the file was downloaded, the exploit code decrypted it by XORing the file with the value 0x55164975. The file was then saved to the computer as %Temp%\rund11.dll.”

The final payload is unknown at this time.”

Currently, the purpose of the attack is unclear, though hacks on South Korean entities often involve espionage or sabotage with the intention of gaining remote access, stealing sensitive data or wiping hard drives.

The so called “zero-day exploits” keep on becoming more prevalent with the number of vulnerabilities discovered, registering huge increases during the past two years. According to the Internet Security Threat Report of Symantec, there was a record high of 54 found in 2015, which is a 125% rise when compared to 2014.

The Infosecurity Symantec’s EMEA chief strategist Sian John said that discovering and targeting vulnerabilities in websites and software is becoming a go-to approach for increasingly sophisticated cyber-criminals.

Targeting website or software vulnerabilities is an appealing technique for cyber-criminals as it allows them to exploit the issue multiple times, often accessing thousands of people’s personal details before the issue is identified and publically disclosed. This can also happen if a relevant patch is not available or hasn‘t been applied quickly enough.”

Nevertheless, John explained that there are several easy steps which users can take to help protect against zero-day attacks, such as keeping security software and operating systems up-to-date at all times.

These updates frequently include series of patches that tackle newly discovered vulnerabilities exploited by cyber-criminals. Additionally, it’s important to remain wary of e-mails from unrecognized contacts that contain attachments.”

Meanwhile, all users are highly advised to implement the patch for the Internet Explorer vulnerability immediately.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.