This month, Microsoft released a patch for the zero-day vulnerability (CVE-2018-8174) — central to the Double Kill exploit — affecting VBScript Engine. In this coordinated release, Qihoo 360 researchers discovered that it was exploited in the wild as early as April 18, 2018, allowing code execution by remote attackers. The vulnerability was used to install a backdoor probably used for cyber-espionage. This is considered the highest priority update among those issued in May.
According to SecureList, the vulnerability in the VBScript Engine allows a remote attacker to execute arbitrary code. The affected software is not only Internet Explorer itself but can also be used by other applications based on the Internet Explorer kernel. Moreover, because Internet Explorer can be invoked from various applications like Microsoft Office; all Microsoft Windows operating systems are considered affected.
The incident identified by researchers was catalyzed by an RTF file, but other file types could be used to the same effect. That file, when opened by a user, downloads an HTML page containing malicious code packaged as an MSHTML type object, which is not blacklisted by the VBScript Engine as some other object types are — specifically to prevent this type of attack.
When the Windows user opens an RTF file with Microsoft Word, or by visiting a specially crafted website, the attack is set in motion. The current attack differentiates itself from similar attacks by loading an HTML page containing VBScript, which bypasses filters looking for suspicious application file types, and is executed by the VBScript Engine.
This hop from Microsoft Office into the Internet Explorer kernel is the defining weak point for the vulnerability under consideration and has never been seen in exploit code before. Its revelation may, therefore, open the door to similar plans of attack by other threats.
The exploit, dubbed “Double Kill,” so far has been used in targeted attacks only. Double Kill sets up multiple backdoors on the target machines, enabling them to receive more commands after the initial intrusion is completed. Based on past activities of the presumptive author of the exploit code, APT-C-06, these mechanisms are likely deployed to exfiltrate information from selected targets.
The attribution for this attack was due to its use of the “retro” backdoor, whose name derives directly from its source code implanted by APT-C-06 in the past. One of the malware sample studies was also consistent with several years’ worth of APT-C-06 products on one infected machine examined by researchers.
