An APT group is exploiting two vulnerabilities patched earlier this year in Firefox and Internet Explorer in attacks aimed at China and Japan.
The first issue, tracked as CVE-2019-17026, affects the Firefox browser and was addressed in January.
In January, Mozilla confirmed that it’s aware of targeted attacks exploiting the CVE-2019-17026 zero-day, but it did not disclose details of the attacks.
The vulnerability was reported to Mozilla by security experts from the Chinese firm Qihoo 360.
The experts reported that the CVE-2019-17026 zero-day had been exploited by attackers along with an Internet Explorer zero-day, Qihoo 360 experts initially disclosed the discovery via Twitter, but later deleted the message.
The second flaw tracked as CVE-2020-0674 is an RCE affecting the Internet Explorer, Microsoft addressed it in February,
According to the
Qihoo experts also tracked the group as the “Peninsula APT,” likely because it refers to an APT group operating from Korea.
Japan’s Computer Emergency Response Team Coordination Center (JPCERT/CC) published a report containing technical details on attacks exploiting both flaws and aimed at Japanese entities
“When you are directed to the attack site with IE or Firefox, the attack code corresponding to the browser you accessed is returned.” states the JPCERT.
“After that, if the attack succeeds, the attack code will be downloaded again as a proxy automatic configuration file (PAC file). The downloaded attack code is executed as a PAC file, and the malware is downloaded and executed.”
The exploitation of the flaw allows delivering a proxy auto-configuration (PAC) file to the system. The PAC files are used to redirect requests made to specified websites through an external server under the control of the attackers.
The final payload used in the attack is a variant of the Gh0st RAT that was employed in multiple attacks carried out by China-linked APT groups. Experts pointed out that
“As a result of verification, it was confirmed that the attack on IE confirmed this time will be performed until execution of malware on Window 7 x64 (December 2019 release patch applied) and Windows 8.1 x64 (January 2020 release patch applied), No malware infection occurred in the environment of Windows 10 (with the January 2020 release patch applied).” concluded the report. “It is possible that the code was not compatible with Windows 10 in this attack.”
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.