ESET spots ‘Unicorn bug’ in action

Eset anitvirus

ESET, a global pioneer in proactive protection for 25-years, alerts Internet Explorer users on the latest patch of a Microsoft Internet Explorer vulnerability allowing remote code execution, which had lain undiscovered for almost 20 years, has prompted significant interest among cyber-attackers.  Earlier this week ESET researchers spotted the first proof-of-concept showing the CVE-2014-6332 vulnerability, or ‘Unicorn Bug’, in action.

 Following original research by a Chinese researcher, the proof-of-concept shows that by using this vulnerability attackers can run arbitrary code on any remote machine and, moreover, bypass various anti-exploitation tools. The same Chinese researcher also found out that arbitrary code could also run on a machine with unpatched Internet Explorer that visit a specially crafted website. ESET researchers started looking for such websites.

It was only a matter of time before we started seeing this vulnerability actively used as part of a cybercriminal campaign. Scouring our data, we found several blocked exploitation attempts while our users were browsing a major Bulgarian website. As you might have guessed, the compromised website was using CVE-2014-6332 to install malware on the computers of its unsuspecting visitors,explain ESET researchers on

The website in question, a news site ranked among the top 50 websites in Bulgaria, has only one compromised page -about TV reality show winners. The exploit, detected by ESET as Win32/Exploit.CVE-2014-6332.A, consists of two different payloads – the first a series of commands; the second a PowerShell to download a binary payload, both with the same content.