Double Kill jumps from MS Office to Explorer
Earlier, Microsoft released a patch for the zero- day vulnerability — central to the Double Kill exploit — affecting VBScript Engine. In this coordinated release, Qihoo 360 researchers discovered that it was exploited in the wild as early as April 18, 2018, allowing code execution by remote attackers. The vulnerability was used to install a backdoor, probably used for cyberespionage. This is considered the highest priority update among those issued in May.
AFFECTS ALL WINDOWS OS
According to Secure List, the vulnerability in the VBScript Engine allows a remote attacker to execute arbitrary code. Kidron, Director of Threat Intelligence in the Skybox Research Lab, says that the affected software is not only Internet Explorer itself but can also be used by other applications based on the Internet Explorer kernel. Moreover, because Internet Explorer can be invoked from various applications such as Microsoft Office, all Microsoft Windows OS are considered affected.
The incident identified by researchers was catalysed by an RTF file, but other file types could be used to the same effect. That file, when opened by a user, downloads an HTML page containing malicious code packaged as an MSHTML type object, which is not blacklisted by the VBS cript Engine as some other object types are — specifically to prevent this type of attack.
METHOD SEES JUMP FROM OFFICE TO IE
When the Windows user opens an RTF file with Microsoft Word, or by visiting a specially crafted website, the attack is set in motion. The current attack differentiates itself from similar attacks by loading an HTML page containing VBScript, which bypasses filters looking for suspicious application file types, and is executed by the VBScript Engine.
This hop from Microsoft Office into the Internet Explorer kernel is the defining weak point for the vulnerability under consideration and has never been seen in exploit code before. Its revelation may, therefore, open the door to similar plans of attack by other threats.
DOUBLE KILL EXPLOIT
The exploit, dubbed “Double Kill,” so far has been used in targeted attacks only. Double Kill sets up multiple backdoors on the target machines, enabling them to receive more commands after the initial intrusion is completed. Based on past activities of the presumptive author of the exploit code, APTC06, these mechanisms are likely deployed to exfiltrate information from selected targets.
The attribution for this attack was due to its use of the “retro” backdoor, whose name derives directly from its source code implanted by APT- C06 in the past. One of the malware sample studies was also consistent with several years’ worth of APT- C- 06 products on one infected machine examined by researchers.
The malicious script is hidden under layers of obfuscation and misdirection designed to evade reverse engineering by analysts even after it’s discovered. These techniques include image steganography to conceal the parameters used to communicate back to the home base, programs disguised as benign applications such as ssh and zlib, and byte- replacement encryption to make found code unrecognisable.
The latter method is one of the clues that were used to attribute this attack to APT- C- 06, an active threat actor since 2007 mainly targeting victims in China. This malware sample was found to use same the decryption scheme implemented by APT- C- 06 in the past. As Double Kill was already used in the
wild, it’s only a matter of time until others close the gap and use this exploit for other, less targeted intents.
IS THERE A SOLUTION?
Software such as Skybox Security can help you quickly identify a vulnerability ( like Double Kill) in your network and make recommendations for patching or other forms of mitigation based on the security controls such as firewalls and intrusion prevention systems ( IPS) already in place. Skybox allows you to respond quickly to threat intelligence such as the Double Kill exploit, in the context of your network.