We have recorded a video, to see the exploit in action.
First, the user connects to a web page which uses the exploit to launch the download of the files: q1.dll y q2l.exe. Then, when q2.exe is executed, it moves the dll to another directory to prevent the deletion of the files, as they are downloaded into a temp directory.
This dll is injected into the Internet Explorer, in order to perform background tasks. Among other things it dumps proxy, email, configuration, and cached passwords… We have attached a sample of the dumped file, there you can see the proxy authentication data. This malware has ftp capabilities to upload the dumped files to an external server.
[ImageAttachment]Thanks again to Ismael Briones.