{"id":83484,"date":"2016-09-30T16:39:39","date_gmt":"2016-09-30T11:09:39","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=83484"},"modified":"2016-09-30T16:39:39","modified_gmt":"2016-09-30T11:09:39","slug":"hackers-launching-multiple-attacks-using-one-email","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/hackers-launching-multiple-attacks-using-one-email\/","title":{"rendered":"Hackers Launching Multiple Attacks using One Email"},"content":{"rendered":"

What makes cybercriminals more notorious is that they do not stay idle. They keep themselves busy in improving their game and formulating newer methods to trap their preys. A case in point is a recent observation made by Quick Heal Labs where attackers are using a new open source exploit<\/a> called \u2018CVE-2016-0189<\/a>\u2019 for Internet Explorer. In this malicious campaign, attackers are using exploits of Microsoft Office and Internet Explorer in a single email instead of multiple ones. This campaign was active in August 2016 and was found to be targeting some private organizations in India.<\/p>\n

What is the reason behind using multiple exploits in one email?<\/strong><\/p>\n

To increase the success rate of exploitation and execution of the delivered malware on the victim\u2019s machine against security vulnerabilities present in Internet Explorer and Microsoft Office.<\/p>\n

A mashup of different exploits to cause double damage<\/strong><\/p>\n

In this campaign, attackers combined an Internet Explorer exploit called \u2018CVE-2016-0189\u2019 with old Microsoft Office exploits called \u2018CVE-2012-0158\u2019 and \u2018CVE-2015-2545<\/a>\u2019. This was done for to increase the chances of a reliable execution of the malware.<\/p>\n

How does this attack begin?<\/strong><\/p>\n

The victim receives an email containing HTML and RTF files as attachments (fig 1).<\/p>\n

\"multiple-weapon-1\"<\/p>\n

Fig 1<\/p>\n

\"multiple-weapon-2\"<\/p>\n

Fig 2<\/p>\n

If the receiver\u2019s computer has an unpatched (outdated) version of Microsoft Office or Internet Explorer, then opening the attached files exploit the vulnerabilities in these applications, downloading and executing the malware on the victim\u2019s machine.<\/p>\n

Both the RTF and HTML exploit download the malware payload from the same URL path.<\/p>\n

Some of the URLs used for downloading the malware are as follows:<\/p>\n