Internet Explorer zero-day exploit found on more websites. Fingers point towards Elderwood Project

Paul Baccas, a researcher at SophosLabs, has uncovered two new sites which have been hit by the recently-discovered Internet Explorer zero-day remote code execution vulnerability.

The attacks bear all the hallmarks of previous infections spread by the so-called Elderwood Project.

First up is a website serving the Uyghur people of East Turkestan:

Uyghur website

Sign up to our free newsletter.
Security news, advice, and tips.

A folder called “netyanus” had been created on the website, containing the following files:

  • Helps.html
  • deployJava.js
  • news.html
  • robots.txt
  • today.swf
  • xsainfo.jpg

The website has since been cleaned-up of its malware infection, but clearly whoever infected it had an interest in infecting anyone who visited the site.

Sophos products detect the HTML files as Exp/20124792-B.

Alert. Image courtesy of ShutterstockThe file news.html (detected as Exp/20124792-B) decodes the obfuscated zero-day exploit code inside robots.txt, and executes it.

Sophos products detect the SWF file as Troj/SWFExp-BF, the remaining HTML file as Exp/20124792-B, and the obfuscated code hidden inside xsainfo.jpg as the Troj/Agent-ZMC Trojan horse.

As there is currently no proper patch for the Internet Explorer security vulnerability, chances are that a good proportion of people visiting the Uyghur site could have ended up with their computers becoming infected.

If you weren’t aware, the Uyghur people of East Turkestan have, like the inhabitants of Tibet, long campaigned for independence from the People’s Republic of China and complained about persecution.

At the same time, SophosLabs discovered another infected website – this time, it’s the website of an Iranian oil company, based in Tehran.

Infected Iranian oil website

At the time of writing, the Iranian website is still carrying an infection so we have obscured some of its details in the image above.

On this occasion, the files implanted by hackers code take the following form:

  • deployJava.js
  • exploit.html
  • news.html
  • robots.txt
  • today.swf
  • xsainfo.jpg

Hopefully, if you have been paying attention, some of those filenames will look familiar to you.

You may not be in the habit of visiting websites associated with the Uyghur people, or checking out the websites of Iranian oil firms… but clearly some people and organisations may visit such sites, and could be at risk of having their computers silently infected as a result.

All the same, until a proper patch is pushed out by Microsoft, Internet Explorer users are potentially at risk from attacks which exploit this vulnerability and should take care to ensure that they have layered defences in place to minimise the risk.

Alert image courtesy of Shutterstock.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.