We have recorded a video, to see the exploit in action.
First, the user connects to a web page which uses the exploit to launch the download of the files: q1.dll y q2l.exe. Then, when q2.exe is executed, it moves the dll to another directory to prevent the deletion of the files, as they are downloaded into a temp directory.
This dll is injected into the Internet Explorer, in order to perform background tasks. Among other things it dumps proxy, email, configuration, and cached passwords… We have attached a sample of the dumped file, there you can see the proxy authentication data. This malware has ftp capabilities to upload the dumped files to an external server.
[ImageAttachment]Thanks again to Ismael Briones.
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
