Microsoft Windows IE Vulnerability attacks spotted in the Wild

Dell Sonicwall Threats Research team has found the old Internet Explorer vulnerability(CVE-2013-1347) still getting actively exploited.
This is the same vulnerability exploited in the Department of Labor Attacks earlier this year.
This is a use-after-free condition which occurs when an Object gets deleted but its reference is re-used causing memory corruption thereby allowing arbitrary code execution.

Following is an in-depth analysis of the attack.

Malicious Javascript is shown below employing ROP techniques.

Debugging shows successful exploitation of the vulnerability

This page includes payload which downloads a binary which is saved as C:rund11.exe

Another binary is downloaded as shown.

This binary upon execution sends requests to following domains.

Following signatures are already proactively detecting the attack.

• IPS:9470 DOM Object Use-After-Free Attack 2
• IPS:9872 Windows IE DOM Object Use-After-Free (MS13-038) 1
• IPS:9873 Windows IE DOM Object Use-After-Free (MS13-038) 2