Double Kill Exploit Jumps From MS Office to Internet Explorer

Skybox Blog TeamMay 10, 2018

This week, Microsoft released a patch for the zero-day vulnerability (CVE-2018-8174) — central to the Double Kill exploit — affecting VBScript Engine. In this coordinated release, Qihoo 360 researchers discovered that it was exploited in the wild as early as April 18, 2018, allowing code execution by remote attackers. The vulnerability was used to install a backdoor probably used for cyber-espionage. This is considered the highest priority update among those issued in May.

  • CVE-2018-8174 Affects All Windows OS

According to SecureList, the vulnerably in the VBScript Engine allows a remote attacker to execute arbitrary code. The affected software is not only Internet Explorer itself, but can also be used by other applications based on the Internet Explorer kernel. Moreover, because Internet Explorer can be invoked from various applications like Microsoft Office, all Microsoft Windows operating systems are considered affected.

The incident identified by researchers was catalyzed by an RTF file, but other file types could be used to the same effect. That file when opened by a user downloads an HTML page containing malicious code packaged as an MSHTML type object, which is not blacklisted by the VBScript Engine as some other object types are — specifically to prevent this type of attack.

  • Unique Infection Method Sees Jump From Office to Internet Explorer

When the Windows user opens an RTF file with Microsoft Word, or by visiting a specially crafted website, the attack is set in motion. The current attack differentiates itself from similar attacks by loading an HTML page containing VBScript, which bypasses filters looking for suspicious application file types, and is executed by the VBScript Engine.

This hop from Microsoft Office into the Internet Explorer kernel is the defining weak point for the vulnerability under consideration and has never been seen in exploit code before. Its revelation may, therefore, open the door to similar plans of attack by other threats.

  • Double Kill Exploit

The exploit, dubbed “Double Kill,” so far has been used in targeted attacks only. Double Kill sets up multiple backdoors on the target machines, enabling them to receiving more commands after the initial intrusion is completed. Based on past activities of the presumptive author of the exploit code, APT-C-06, these mechanisms are likely deployed to exfiltrate information from selected targets.

The attribution for this attack was due to its use of the “retro” backdoor, whose name derives directly from its source code implanted by APT-C-06 in the past. One of the malware sample studies was also consistent with several years’ worth of APT-C-06 products on one infected machine examined by researchers.

The malicious script is hidden under layers of obfuscation and misdirection designed to evade reverse engineering by analysts even after it’s discovered. These techniques include image steganography to conceal the parameters used to communicate back to the home base, programs disguised as benign applications such as ssh and zlib, and byte-replacement encryption to make found code unrecognizable. The latter method is one of the clues that was used to attribute this attack to APT-C-06, an active threat actor since 2007 mainly targeting victims in China. This malware sample was found to use same the decryption scheme implemented by APT-C-06 in the past.

As Double Kill was already used in the wild, it’s only a matter of time until others close the gap and use this exploit for other, less targeted intents.

Related Posts

Orangeworm and Abbott Shed Light on Healthcare Cyberthreat: The Orangeworm attack targeting healthcare organizations and vulnerabilities in Abbott cardiac devices raise fresh concerns of cyber issues in industry

Drupalgeddon2 Attack Puts Sites at Risk Worldwide: Several malware families including Monero cryptominer and the Muhstik botnet are using the Drupalgeddon2 vulnerability

Hackers Disrupt Critical Infrastructure Network Using Cisco Smart Install Flaw: Bot uses Shodan to detect vulnerable devices, 200,000 affected worldwide by Cisco Smart Install Client vulnerability

The Skybox Blog Team is a group of talented, security-conscious writers dedicated to bringing you insights into trending topics, IT security developments, and Skybox solutions.

Recent Posts

What’s new in the Skybox Security version 11.5 release
Read More
Cryptomining is hottest new malware type, research reveals
Read More
Three ways to modernize your OT security programs
Read More
How to manage third-party cyber risk in banking and financial services
Read More
Vulnerability and Threat Trends Report highlights the importance of cyber exposure analysis that goes beyond CVSS rating
Read More
Skybox 2021 Vulnerability and Threat Trends mid-year report
Read More