Experts published IE Exploit code and crooks added it to Neutrino EK

Operators behind the Neutrino EK have added the code to exploit an Internet Explorer flaw that  was recently patched with the release of the MS16-053.

Operators behind the infamous Neutrino EK have recently added the code to exploit an Internet Explorer vulnerability that was patched with the release of the MS16-053 security bulletin.

The MS16-053 bulletin patched two remote code execution vulnerabilities in the JScript (CVE-2016-0187) and VBScript (CVE-2016-0189) scripting engines

The security vulnerabilities can be exploited through the Internet Explorer web browser, unfortunately, the CVE-2016-0189 had been exploited in targeted attacks against Windows users in South Korea before Microsoft fixed it.

In order to trigger the vulnerability, victims have to visit a compromised website or open a spear-phishing email containing a malicious link.

Experts from startup Theori have made a reverse engineering of the MS16-053 and published a PoC exploit for the CVE-2016-0189 vulnerability.

The PoC code works on Internet Explorer 11 running on Windows 10, a great gift for fraudsters that included it in the Neutrino EK as confirmed by FireEye.

Researchers from FireEye noticed that last version of the Neutrino EK included exploits for a total of five vulnerabilities, three Flash Player flaws (CVE-2016-1019, CVE-2016-4117 and CVE-2015-8651) and two Internet Explorer (CVE-2014-6332 and CVE-2016-0189).

“CVE-2016-0189 was originally exploited as a zero-day vulnerability in targeted attacks in Asia. The vulnerability resides within scripting engines in Microsoft’s Internet Explorer (IE) browser, and is exploited to achieve Remote Code Execution (RCE). According to the researcher’s repository, the open source exploit affects IE on at least Windows 10. It is possible that attackers could use or repurpose the attack for earlier versions of Windows.” states FireEye. “In this example, Neutrino embedded exploits for five patched vulnerabilities: three for Adobe Flash Player (CVE-2016-4117, CVE-2016-1019, CVE-2015-8651) and two for Internet Explorer (CVE-2016-0189, CVE-2014-6332). CVE-2016-0189 is the newest addition to Neutrino’s arsenal.”

The experts compared the code used in the Neutrino EK and the one released by the researchers. Researchers from FireEye speculate that crooks might be able to adapt the exploit for older versions of the operating system as well.

In January, experts from Heimdal Security warned a spike in cyber attacks leveraging the popular Neutrino and RIG exploit kit, the crimeware kits have become the most popular exploit kits after Angler and Nuclear disappeared.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Neutrino EK, cybercrime)