Internet Explorer may seem all but dead, but it remains a popular method for spreading malware. According to Qihoo 360, an advanced persistent threat (APT) is using a zero-day vulnerability known as ‘Double Kill’.
APT refers to a continuous and often difficult to detect attack that targets a specific entity. It’s often a sign of a nation state attack, though Qihoo only says it’s by a ‘known APT actor’.
Researchers say malware has been deployed in live attacks through the use of Office documents. As soon as the user opens the document, exploit code and malware are loaded from a remote server. It uses reflective DLL loading, a UAC bypass, fileless execution and steganography to achieve its goals. Once infected, attackers can install backdoor Trojans or gain complete control of the PC.
Threat intelligence analyst Mitch Edwards has kindly translated an image by Qihoo that shows the attack process. As he notes, it’s a bit of a mess, but should still make it easier to understand.
The finale, the original image you wanted translated!https://t.co/i18dAuP7S2
— Mitch (@Viking_Sec) 23 April 2018
Microsoft’s Response
Currently, it’s unclear how critical the exploit is and how widespread its exploitation is. However, Internet Explorer users still make up 12.46% of the browser market share, many on older versions of Windows that aren’t as secure.
In response to Bleeping Computer, Microsoft simply sent out its usual pre-prepared statement, which sheds no light on the issue:
“Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide remediation via our current Update Tuesday schedule.”
Patch Tuesday usually occurs on the second Tuesday of each month, so users may have to wait two weeks for a fix. In the meantime, you should avoid using Internet Explorer and pay extra attention to the documents you receive.
