IE Zero-Day “double kill” And Its First In-The-Wild Attack Found By 360

Apr 26, 2018360TS

Recently, 360 Security Center discovered an attack that used IE 0-day vulnerability. After analysis, we found that it is the first APT(Advanced Persistent Threat) campaign that forms its attack with an Office document embedding a newly discovered Internet Explorer 0-day exploit. As soon as anyone opens the malicious document, they get infected and give away control of their computers.

360 has completely deciphered the whole attack, reported the detail of this vulnerability to Microsoft and named this exploit “double kill.” This vulnerability affects all latest Microsoft’s Internet Explorer and any applications using IE browser engine to render web pages. While 360 is committed to facilitating the fix of this vulnerability, we warn users not to open any Office documents from unknown sources.

Under the hood, hackers initiate the attack by embedding a malicious website inside an Office document. Any malicious code and payload can be deployed via remote web servers. This attack also uses a known UAC bypassing technique to acquire administrator’s privileges. Its in-memory execution methodology leaves no disk footprint and avoids traffic tracking.

In recent years, we have discovered a rising trend that Office documents have taken the center stage of APT attacks. Opening any malicious documents with “double kill” allows attackers to control victims’ computers without their knowledge, making ransomware infection, eavesdropping and data leakage convenient and stealthy.

360 Security Center would like to remind all users not to open any documents from untrusted sources. Any organization and government should pay close attention to the latest update of this vulnerability to harden the defense of their IT infrastructures. 360 Security Center will keep track of the evolution of this vulnerability and the availability of its solution.