Two Different Cybercriminal Groups Are Using IE 10 Zero-Day in Their Operations

Analysis of Sakurel file

FireEye published a report to reveal the existence of an Internet Explorer zero-day that had been served on the website of the US Veterans of Foreign Wars ( The same exploit has been used in an attack involving the French aerospace industry, but experts believe two different groups are responsible.

Shortly after FireEye made its findings public about the campaign targeting the VFW site, Websense published its own research. They identified an attack leveraging the same IE exploit (CVE-2014-0322) three weeks before the operation documented by FireEye.

The attack observed by Websense targeted the French aerospace industries association GIFAS (Groupement des Industries Francaises Aeronautiques et Spatiales). The cybercriminals had set up a fake GIFAS website on which they hosted the IE exploit.

Based on its research, Websense has determined that the group which targeted GIFAS might be the same one that compromised the VFW site.

Seculert has conducted its own analysis and has reached a different conclusion. The group that abused the VFW website in theoperation dubbed SnowMan is said to be the one responsible for older campaigns such as DeputyDog and Ephemeral Hydra.

However, Seculert’s analysis shows that the GIFAS attack might have been carried out by a different group using the same IE zero-day exploit.

Experts have found that the malware used in SnowMan, ZXShell, is not the same as the one used in the campaign against the French aviation industry. The second piece of malware distributed with the IE zero-day exploit is designed to steal information, download other threats, and it acts as a backdoor, or a remote access Trojan (RAT).

Seculert tells Softpedia that some antivirus companies have dubbed this threat “Sakurel.” In this case, the Trojan has been used to target the remote users of an aerospace engine manufacturer.

However, this group is more likely connected to one responsible for attacks described by SpiderLabs a year ago, rather than the DeputyDog group.

There are four main indicators that lead experts to believe that there are two distinct groups: different malware, different command and control servers, the use of free dynamic DNS services versus the use of own domain names, and different malware variants to conduct the same type of attack.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s