Although, Microsoft patched a zero-day vulnerability in Internet Explorer, it had already exploited in attacks involving a compromised website belonging to an evangelical church in Hong Kong.
Users are requested to update their computers as soon as possible.
It permits remote code execution which allows a user views a specially crafted web page using Internet Explorer. After that it allows the attacker the same user rights as the current user. Microsoft’s security update resolves this issue by modifying how Internet Explorer handles objects in memory.
First, the attackers compromised the website of the Evangelical Lutheran Church of Hong Kong and modified it to host a malicious iFrame which redirected visitors to another website hosting an exploit of the Internet Explorer Microsoft Internet Explorer Remote Memory Corruption Vulnerability (CVE-2015-2502).
According to Symantec, the IP address of this website is 18.104.22.168.
This website hosts a file called vvv.html , which redirects to one of two other files called a.js and b.js, which lead to the download of a file called java.html to the victim’s computer. Java.html installs Korplug on the computer, in the form of an executable called c.exe.