Q
Manage Learn to apply best practices and optimize your operations.

How does the APT attack Double Kill work in Office documents?

The Qihoo 360 Core Security team found a Microsoft vulnerability -- named Double Kill -- that affects applications via Office documents. Learn how this is possible with Nick Lewis.

Microsoft patched a zero-day vulnerability known as Double Kill that affects Internet Explorer and other applications...

using Office documents. How does the Double Kill exploit work and why is it so difficult to detect?

Advanced persistent threat (APT) attacks usually display a level of technical sophistication that isn't observed in more common criminal attacks; however, they do use a very similar framework. Many attacks use phishing techniques to get the target to open a malicious file that then downloads a tool to download a Trojan that takes over the system and communicates with a command-and-control server.

While more common attacks don't typically use zero-days, APT groups do use zero-day exploits, when necessary, because the groups have the resources and skills to find or purchase them.

One APT attack that exploited an Internet Explorer zero-day vulnerability in a multistage attack was identified by the Qihoo 360 Core Security team and named Double Kill. While the researchers didn't identify how the malicious Microsoft Office file got to the target, it is thought to have been through standard phishing.

The Qihoo 360 Core Security team provided additional details about the Double Kill vulnerability after Microsoft released a patch for the vulnerability. The malicious Office document includes Object Linking and Embedding auto-link objects that embed the document used to open a website with the Internet Explorer VBScript engine. This can trigger the exploit and eventually execute a PowerShell command on the file system.

The APT attack continues by using extensive obfuscation to hide itself by further encrypting the payload used in the exploit to install the Trojan, making it more difficult to analyze or detect. Memory reflection uploading is then used to execute code in the exploit. It does not require a file on the local system to execute, but image steganography is used in the attack to identify the C&C server.

It should also be noted that later in the APT attack, multiple files are downloaded or created on the system to execute on the local system.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

This was last published in October 2018

Dig Deeper on Microsoft Windows security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

2 comments

Send me notifications when other members comment.

Please create a username to comment.

How has this Microsoft vulnerability or past vulnerabilities affected your enterprise?
Cancel
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close