Mysterious “double kill” IE zero-day allegedly in the wild

“Double kill” is a bragging term from the world of violent video gaming – it means you finished off two assailants with a single shot.

In the world of cybercrime, it’s the name given by Chinese computer security compay Qihoo to what it claims is an Internet Explorer zero-day hole that’s being actively exploited in the wild.

As you probably know, zero-day exploits get their name because they show up in the hands of attackers before an official patch is available, giving defenders zero days of advance warning to fix affected systems.

If there isn’t a patch you can use, the next best thing is some sort of workaround that minimises or eliminates the side-effects of the bug in your environment.

Unfortunately, in this case, Qihoo isn’t giving much away: we’ve seen only very sketchy details of how the “double kill” exploit works, or what you could look out for if an attacker tried to use the exploit against you.

All we know so far is that a “double kill” attack starts with a Word document, presumably sent as an email attachment.

If you open the booby-trapped document, which is denoted by Qihoo as containing some unspecified sort of shellcode, Internet Explorer is apparently activated in the background, ultimately leading to an executable program being downloaded and executed without any visible warning.

According to Qihoo, this is:

…the first Office Document based exploit that uses a browser zero-day vulnerability to carry out the attack. Opening a malicious Office document may cause infection with a Trojan horse that can take full control of the victim’s computer […] Hackers carried out the APT attack by delivering Office documents containing malicious webpages. When affected users opened the documents, malicious scripts and payloads using the vulnerability were downloaded from a remote host and executed.

What we don’t yet know is:

  • Which document file formats (e.g. RTF, DOC, DOCX, XLS, XLSX, PPT, PPTX) can be used to trigger this vulnerability.
  • Whether the booby-trapped Office files contain macros or other active scripting that could be detected and blocked generically to reduce the risk of attack, at least until specific details are available.
  • Whether Office is required to make the exploit work, or whether other applications might be able to trigger it too, such as PDF readers or video players.
  • How Internet Explorer comes into the attack.

Qihoo’s diagram shows a document containing shellcode, plus various DLLs (executable files) that are apparently written to disk after the document is opened, but Internet Explorer is not depicted in the diagram at all.

Numerous secondary aspects of the attack are mentioned by Qihoo, including a trick used to bypass User Access Control (UAC), the download of an image file with executable code hidden inside it, and the execution of that code by poking it directly into memory without first saving it to disk.

However, these seem to been details of one specific malware payload unleashed by the “double kill” vulnerability, rather than part of the zero-day itself:

At a later stage of the attack, it uses a publicly available UAC bypass technique, file steganography [executable content buried inside an image file] and reflective DLL injection [poking a program directly into memory] to avoid file detection.

What to do?

At this time [2018-04-24T23:30Z] , we don’t have any sample files from an actual attack; we don’t know whether booby-trapped documents have any telltale signs that you can look out for; we don’t know how Internet Explorer comes into the attack; and we don’t know whether Office is the only applciation that can be used to trigger a “double kill”.

All we can do it to reiterate the general security advice we have given many times before: don’t open documents you weren’t expecting, even if they seem to be urgent or interesting.

Apparently, Qihoo has disclosed details of this attack to Microsoft – when we’ve got something useful to add to the little that Qihoo has revealed so far, we’ll pass it on…