[German]Brief information for people who still use Internet Explorer (mainly concerns company administrators). Malware has been discovered that exploits the Internet Explorer vulnerability CVE-2020-0968. Microsoft has issued a patch for it since April 2020.
Advertising
Internet Explorer vulnerability CVE-2020-0968
CVE-2020-0968 is a scripting engine memory corruption vulnerability in Internet Explorer. A remote code execution vulnerability is related to the way the scripting engine handles objects in Internet Explorer memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
An attacker who successfully exploited the vulnerability could be granted the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs, view, modify, or delete data, or create new accounts with full user rights.
In a Web-based attack scenario, an attacker could host a specially crafted Web site that exploits the vulnerability in Internet Explorer. If a user visits the Web site, the attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine.
However, Microsoft has released security updates on April 14, 2020, which fix this vulnerability in the scripting engine. These were closed with cumulative security updates and rollups for Windows and with the Internet Explorer update KB4550905.
Malware sample found
On Twitter last night I was informed that a malware sample was uploaded from Belarus to VirusTotal, which downloads an exploit for the Internet Explorer vulnerability CVE-2020-0968.
Advertising
ClearSky Research discovered the malware embedded in an RTF file on September 20, 2020. The first file was uploaded from Belarus VirusTotal. In this country demonstrations against the ruler Lukashenko are currently taking place. The file name and the content of the Word file contains forms to be filled out about people who are accused of crimes before the Supreme Court.
The RTF file executes an arbitrary code from a C2 server. The code execution could be used for further malware downloads, data theft and a variety of malicious activities. In the analyzed case, the RTF file downloads an exploit for Internet Explorer that exploits the CVE-2020-0968 vulnerability. According to the security researchers, the vulnerability has not yet been exploited in the wild.
The Internet Explorer vulnerability then downloads the payload, but the file is encrypted and must be decrypted to run. When the security researchers wrote their analysis together, they discovered that there is already a detailed analysis, written in Chinese, that calls this attack "Operation Domino". Details are available here.
