ESET spots ‘Unicorn bug’ in action

The first proof-of-concept of the infamous Internet Explorer vulnerability strikes in Bulgaria

ESET, a global pioneer in proactive protection for 25-years, alerts Internet Explorer users on the latest patch of a Microsoft Internet Explorer vulnerability allowing remote code execution, which had lain undiscovered for almost 20 years, has prompted significant interest among cyber-attackers.

Earlier this week ESET researchers spotted the first proof-of-concept showing the CVE-2014-6332 vulnerability, or ‘Unicorn Bug’, in action.

Following original research by a Chinese researcher, the proof-of-concept shows that by using this vulnerability attackers can run arbitrary code on any remote machine and, moreover, bypass various anti-exploitation tools. The same Chinese researcher also found out that arbitrary code could also run on a machine with unpatched Internet Explorer that visit a specially crafted website. ESET researchers started looking for such websites.

It was only a matter of time before we started seeing this vulnerability actively used as part of a cybercriminal campaign. Scouring our data, we found several blocked exploitation attempts while our users were browsing a major Bulgarian website. As you might have guessed, the compromised website was using CVE-2014-6332 to install malware on the computers of its unsuspecting visitors,“explain ESET researchers on

The website in question, a news site ranked among the top 50 websites in Bulgaria, has only one compromised page -about TV reality show winners. The exploit, detected by ESET as Win32/Exploit.CVE-2014-6332.A, consists of two different payloads – the first a series of commands; the second a PowerShell to download a binary payload, both with the same content.

Read more about this malware and how you can protect against it on


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: