Hackers exploited IE and Firefox flaws in attacks on entities in China, Japan

An APT group is exploiting the flaws patched earlier this year in Firefox and Internet Explorer in attacks aimed at China and Japan.

An APT group is exploiting two vulnerabilities patched earlier this year in Firefox and Internet Explorer in attacks aimed at China and Japan.

The first issue, tracked as CVE-2019-17026, affects the Firefox browser and was addressed in January.

The CVE-2019-17026 flaw is an “IonMonkey type confusion with StoreElementHole and FallibleStoreElement,” where IonMonkey is the Just-in-Time (JIT) compiler for Firefox’s SpiderMonkey JavaScript engine.

In January, Mozilla confirmed that it’s aware of targeted attacks exploiting the CVE-2019-17026 zero-day, but it did not disclose details of the attacks.

The vulnerability was reported to Mozilla by security experts from the Chinese firm Qihoo 360.

The experts reported that the CVE-2019-17026 zero-day had been exploited by attackers along with an Internet Explorer zero-day, Qihoo 360 experts initially disclosed the discovery via Twitter, but later deleted the message.

The second flaw tracked as CVE-2020-0674 is an RCE affecting the Internet Explorer, Microsoft addressed it in February,

The CVE-2020-0674 flaw could be triggered by tricking victims into visiting a website hosting a specially crafted content designed to exploit the issue through Internet Explorer.

According to the cybersecurity firm Qihoo 360, threat actors exploited both flaws before they have been addressed by Microsoft.

The experts pointed out that the two vulnerabilities were exploited as part of a campaign aimed at Chinese government agencies and attributed to the DarkHotel APT, aka APT-C-06.

Qihoo experts also tracked the group as the “Peninsula APT,” likely because it refers to an APT group operating from Korea.

Japan’s Computer Emergency Response Team Coordination Center (JPCERT/CC) published a report containing technical details on attacks exploiting both flaws and aimed at Japanese entities

“When you are directed to the attack site with IE or Firefox, the attack code corresponding to the browser you accessed is returned.” states the JPCERT.

“After that, if the attack succeeds, the attack code will be downloaded again as a proxy automatic configuration file (PAC file). The downloaded attack code is executed as a PAC file, and the malware is downloaded and executed.”

The exploitation of the flaw allows delivering a proxy auto-configuration (PAC) file to the system. The PAC files are used to redirect requests made to specified websites through an external server under the control of the attackers.

The final payload used in the attack is a variant of the Gh0st RAT that was employed in multiple attacks carried out by China-linked APT groups. Experts pointed out that the source code of the RAT was leaked many years ago, and many out threat actors started using it.

“As a result of verification, it was confirmed that the attack on IE confirmed this time will be performed until execution of malware on Window 7 x64 (December 2019 release patch applied) and Windows 8.1 x64 (January 2020 release patch applied), No malware infection occurred in the environment of Windows 10 (with the January 2020 release patch applied).” concluded the report. “It is possible that the code was not compatible with Windows 10 in this attack.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Firefox, IE)

[adrotate banner=”5″]

[adrotate banner=”13″]