Recently, Microsoft issued an Emergency patch for a zero-day vulnerability in Internet Explorer that is being exploited to deploy Korplug malware on vulnerable PCs.
Korplug, a known variant of PlugX, is a Trojan that creates a backdoor used for information stealing on infected computers.
In one of the most publicized cases, an evangelical church in Hong Kong was compromised to deliver the malware. Attackers were able to breach the church’s website and inject a malicious iFrame overlay designed to look like the site itself.
The iFrame was then used to redirect visitors to a site hosting the IE exploit. Once users land on the website, they are served a java.html which installs Korplug on their computers.
To defend against Korplug, system administrators, and security engineers should educate users of corporate assets about these types of hacking techniques.
In many cases, organizations are breached because of the lack of internal education around how to identify threats.
All too often breaches are successful when users execute malicious email attachments, download files from suspicious websites, or install cracked software.
However, even with the right kind of education, users will still sometimes inadvertently compromise company assets.
This usually occurs when a user accidentally exposes the network to a piece of malware posing as a legitimate spreadsheet, word doc in an email, or in the case of the evangelical church described above, an iFrame designed to look like a page in a website.
Impact on You
Acting like a backdoor, malware like Korplug can be used by an attacker to have complete control over a user’s computer.
This allows the attacker to create privilege escalation, exfiltrate data on the user’s machine, or act as a pivot point to access more sensitive systems.
How AlienVault Can Help
AlienVault Unified Security Management (USM) provides asset discovery, threat detection (IDS), vulnerability assessment behavioral monitoring and SIEM in a single console, plus weekly threat intelligence updates developed by the AlienVault Labs threat research team.
The Labs team has released IDS signatures and a correlation rule to the AlienVault USM platform so customers can identify activity related to Korplug.
Learn more about AlienVault USM: