An advanced persistent threat (APT), a term sometimes used to describe nation-state-backed cyber-espionage units, is using a zero-day vulnerability in the Internet Explorer kernel code to infect victims with malware.
Security researchers from Chinese antivirus maker Qihoo 360 Core have reported the issue to Microsoft this week, Bleeping Computer has learned from a member of the Qihoo 360 team.
The zero-day has been deployed in live attacks, as part of Office documents sent to selected targets.
Latest versions of IE browser affected, possibly other apps
The Qihoo 360 Core team said the zero-day uses a so-called “double kill” vulnerability that affects the latest versions of Internet Explorer and any other applications that use the IE kernel.
“After the target opens the document, all exploit code and malicious payloads are loaded from a remote server,” researchers wrote today in a blog post on the Weibo micro-blogging platform.
Researchers said the attack involves the use of a public UAC bypass, reflective DLL loading, fileless execution, and steganography.
The Qihoo 360 Core team has not revealed the exact exploitation chain, apart from an image shared on Weibo. [We’ll still working on getting the image translated.]
Microsoft mum on today’s disclosure
In typical Microsoft fashion, the company has not confirmed or denied Qihoo 360 Core’s findings. The company has sent over the following canned statement.
Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide remediation via our current Update Tuesday schedule.
The Qihoo 360 Core team has not answered a request for comment for more details on the APT group prior to this article’s publication.
We uncovered an IE 0day vulnerability has been embedded in malicious MS Office document, targeting limited users by a known APT actor.Details reported to MSRC @msftsecresponse
— 360 Core Security (@360CoreSec) April 20, 2018