An exploit for a just-patched vulnerability affecting Internet Explorer is now in the Sundown exploit kit.
Watering hole attacks use the Sundown exploit kit to deliver a backdoor Trojan detected as Trojan.Nancrat, said researchers at Symantec. The malware allows attackers to steal information from infected computers.
In order to deliver the Trojan to victims’ computers, Sundown attempts to exploit various vulnerabilities, including a critical memory corruption flaw in Internet Explorer patched by Microsoft August 11 as part of the company’s monthly security updates.
When it patched the remote code execution security hole, Microsoft said there was no evidence of exploitation and the flaw was not public.
The attacks monitored by Symantec mainly affect users in Japan, but some infections were also in the United States, Brazil, Canada, and the United Kingdom.
The attackers injected an iframe into a hijacked website in order to redirect users to a highly obfuscated webpage hosting the Sundown exploit kit. The kit scans for the presence of certain security software, sandboxes and traffic analysis tools before dropping its exploits, Symantec researchers said in a blog post.
In the campaign observed by Symantec, Sundown also leveraged six other exploits, including four Flash Player, one Windows and one Internet Explorer exploits.