We have recorded a video, to see the exploit in action.

First, the user connects to a web page which uses the exploit to launch the download of the files: q1.dll y q2l.exe. Then, when q2.exe is executed, it moves the dll to another directory to prevent the deletion of the files, as they are downloaded into a temp directory.

This dll is injected into the Internet Explorer, in order to perform background tasks. Among other things it dumps proxy, email, configuration, and cached passwords… We have attached a sample of the dumped file, there you can see the proxy authentication data. This malware has ftp capabilities to upload the dumped files to an external server.


Thanks again to Ismael Briones.