Microsoft patched a zero-day vulnerability known as Double Kill that affects Internet Explorer and other applications...
using Office documents. How does the Double Kill exploit work and why is it so difficult to detect?
Advanced persistent threat (APT) attacks usually display a level of technical sophistication that isn't observed in more common criminal attacks; however, they do use a very similar framework. Many attacks use phishing techniques to get the target to open a malicious file that then downloads a tool to download a Trojan that takes over the system and communicates with a command-and-control server.
While more common attacks don't typically use zero-days, APT groups do use zero-day exploits, when necessary, because the groups have the resources and skills to find or purchase them.
One APT attack that exploited an Internet Explorer zero-day vulnerability in a multistage attack was identified by the Qihoo 360 Core Security team and named Double Kill. While the researchers didn't identify how the malicious Microsoft Office file got to the target, it is thought to have been through standard phishing.
The Qihoo 360 Core Security team provided additional details about the Double Kill vulnerability after Microsoft released a patch for the vulnerability. The malicious Office document includes Object Linking and Embedding auto-link objects that embed the document used to open a website with the Internet Explorer VBScript engine. This can trigger the exploit and eventually execute a PowerShell command on the file system.
The APT attack continues by using extensive obfuscation to hide itself by further encrypting the payload used in the exploit to install the Trojan, making it more difficult to analyze or detect. Memory reflection uploading is then used to execute code in the exploit. It does not require a file on the local system to execute, but image steganography is used in the attack to identify the C&C server.
It should also be noted that later in the APT attack, multiple files are downloaded or created on the system to execute on the local system.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Microsoft Windows security
Related Q&A from Nick Lewis
Researchers from Check Point announced a new attack at Black Hat 2018 that targets Android devices. Discover how this attack works and how devices ... Continue Reading
Sophos researchers believe the SamSam ransomware campaign could be the work of one or a few threat actors using manual techniques. Learn how it works... Continue Reading
The hacking group Magecart was recently found to have run a card skimming campaign that put customer information at risk. Learn how this attack ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.