 **[Home (/connect/)](http://www.symantec.com/connect/)**  **[Forums (/connect/forums/community­forums)](http://www.symantec.com/connect/forums/community-forums)**  **[Blogs (/connect/blogs/discover)](http://www.symantec.com/connect/blogs/discover)**  **[Search (/connect/search)](http://www.symantec.com/connect/search)**  [Connect Community (/connect/)](http://www.symantec.com/connect/)  [Blogs (/connect/blogs)](http://www.symantec.com/connect/blogs) | Blogs (/connect/blogs/discover)| Search (/connect/search)|Col3| |---|---|---|  [Security Response (/connect/symantec­blogs/symantec­security­response)](http://www.symantec.com/connect/symantec-blogs/symantec-security-response) #  Security Response ######  (https://twitter.com/threatintel)  (http://www.symantec.com/connect/item­feeds/blog/2261/feed/all/en/all) ### +2 2 Votes ##### Symantec Official Blog ## New Internet Explorer zero­day exploited in Hong Kong attacks #### Bug patched by Microsoft yesterday (CVE­2015­2502) has already been exploited in watering hole attacks to deliver Korplug malware. By: **[Symantec Security Response (/connect/user/symantec­security­response)](http://www.symantec.com/connect/user/symantec-security-response)** **SYMANTEC EMPLOYEE** Created 19 Aug 2015  0  Translations: [简体中文 (/connect/zh­hans/blogs/internet­explorer­11),](http://www.symantec.com/connect/zh-hans/blogs/internet-explorer-11) 繁體中文 (/connect/blogs/internet­explorer­ 12), [日本語 (/connect/ja/blogs/internet­explorer­9)](http://www.symantec.com/connect/ja/blogs/internet-explorer-9)  Share ----- ###### A newly patched zero­day vulnerability in Internet Explorer (http://www.symantec.com/connect/blogs/remote­code­execution­vulnerability­internet­ explorer­patched) has already been exploited in attacks involving a compromised website belonging to an evangelical church in Hong Kong. Symantec telemetry revealed an exploit hosted on the compromised site, which was used to infect visitors with the Korplug back door (detected by Symantec as Backdoor.Korplug (http://www.symantec.com/security_response/writeup.jsp?docid=2012­062914­2531­99)). The attackers compromised the website of the Evangelical Lutheran Church of Hong Kong and modified it to host a malicious iFrame which redirected visitors to another website hosting an exploit of the Microsoft Internet Explorer Remote Memory Corruption Vulnerability (http://www.securityfocus.com/bid/76403) (CVE­2015­2502). The IP address of this website is 115.144.107.55. This website hosts a file called vvv.html, which redirects to one of two other files called a.js and b.js and leads to the download of a file called java.html to the victim’s computer. Java.html installs Korplug on the computer, in the form of an executable called c.exe. Figure 1. Malicious iFrame hosted on compromised Hong Kong website Korplug (also known as PlugX) is a Trojan that maintains a back door on an infected computer and facilitates information stealing. Symantec has previously released several blogs (http://www.symantec.com/connect/nl/blog­tags/backdoorkorplug) around Korplug. The ----- ----- ###### The new Internet Explorer zero­day bug was patched yesterday by Microsoft as part of Security Bulletin MS15­093 (https://technet.microsoft.com/en­us/library/security/ms15­ 093.aspx). The vulnerability permits remote code execution if a user views a specially crafted web page using Internet Explorer. Successful exploitation of the vulnerability will grant the attacker the same user rights as the current user. Microsoft’s security update resolves this issue by modifying how Internet Explorer handles objects in memory. Protection Symantec and Norton products protect against the exploit of this vulnerability with the following detections: Antivirus Hacktool (http://www.symantec.com/security_response/writeup.jsp?docid=2001­081707­ 2550­99) Trojan.Malscript (https://www.symantec.com/security_response/writeup.jsp?docid=2010­ 102800­4814­99) Intrusion Prevention System Web Attack: MSIE Memory Corruption CVE­2015­2502 (http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=28195) The payload used in these attacks is detected as: Backdoor.Korplug (http://www.symantec.com/security_response/writeup.jsp? docid=2012­062914­2531­99) Trojan.Gen.2 (http://www.symantec.com/security_response/writeup.jsp?docid=2011­ 082216­3542­99)  [Tags: Security (/connect/communities/security), Security Response (/connect/named­blogs/symantec­](http://www.symantec.com/connect/communities/security) [security­response), Endpoint Protection (AntiVirus) (/connect/products/endpoint­protection­antivirus),](http://www.symantec.com/connect/products/endpoint-protection-antivirus) [Backdoor.Korplug (/connect/blog­tags/backdoorkorplug), Hacktool (/connect/blog­tags/hacktool), internet](http://www.symantec.com/connect/blog-tags/backdoorkorplug) [explorer (/connect/blog­tags/internet­explorer), Microsoft (/connect/blog­tags/microsoft), Trojan.Gen.2](http://www.symantec.com/connect/blog-tags/microsoft) [(/connect/blog­tags/trojangen2­0), Trojan.Malscript (/connect/blog­tags/trojanmalscript), Vulnerabilities &](http://www.symantec.com/connect/blog-tags/trojanmalscript) [Exploits (/connect/blog­tags/vulnerabilities­exploits), zero­day (/connect/blog­tags/zero­day)](http://www.symantec.com/connect/blog-tags/zero-day)  Subscriptions (0) ----- ###### y y p ( y y p onse)  [View Profile (/connect/user/symantec­security­response)](http://www.symantec.com/connect/user/symantec-security-response) ###### Login (https://www­secure.symantec.com/connect/user/login? destination=node%2F3474951) or Register (https://www­ secure.symantec.com/connect/user/register?destination=node%2F3474951) to post comments. [(https://www.surveymonkey.com/r/G7KVZWQ)](https://www.surveymonkey.com/r/G7KVZWQ) ###### Community Stats Total Posts **1, 4 1 1, 8 8 3** Members **4 2 8, 7 0 9** [Contact Us (/connect/contact)](http://www.symantec.com/connect/contact) [Privacy Policy (http://www.symantec.com/about/profile/policies/privacy.jsp)](http://www.symantec.com/about/profile/policies/privacy.jsp) Terms and Conditions (/connect/legal) [Earn Rewards (/connect/points)](http://www.symantec.com/connect/points) Rewards Terms and Conditions (/connect/blogs/symantec­connect­rewards­program­terms­and­conditions) © 2015 Symantec Corporation  [(https://twitter.com/symantec)](https://twitter.com/symantec)  [(https://www.facebook.com/Symantec) ](https://www.facebook.com/Symantec) (https://www.linkedin.com/company/symantec) -----