[German]Microsoft's Internet Explorer has an unpatched vulnerability. Security researchers have now discovered that this zero-day vulnerability is being exploited by a APT group to distribute malware.
Advertising
First I found this Bleeping Computer article as a single source. A few hours ago, The Register also published this article on the subject. This article points out that Microsoft published this document a few days ago, which refers to IE 9 and 10.
The term Advanced Persistent Threat (APT) is used to describe state-supported cyber espionage units.
IE Zero Day Kernel vulnerability
Security researchers from Chinese anti-virus vendor Qihoo 360 Core have recently observed that APT groups use a zero-day vulnerability in Internet Explorer kernel code to infect victims with malware. Qihoo 360 Core has reported the problem to Microsoft, as Bleeping Computer learned from the company.
We uncovered an IE 0day vulnerability has been embedded in malicious MS Office document, targeting limited users by a known APT actor.Details reported to MSRC @msftsecresponse
— 360 Core Security (@360CoreSec) 20. April 2018
The zero-day exploit has been used in live attacks as part of Office documents sent to selected targets. The Qihoo 360 Core Team writes that the Zero Day exploit uses a so-called "double kill" vulnerability. This affects the latest versions of Internet Explorer and all other applications that use the IE kernel.
Advertising
"After the target opens the document, all exploit codes and malicious payloads are loaded from a remote server," write researchers in a blog post (Chinese) on the Weibo micro blogging platform. The researchers state that the attack involves the use of a publicly known UAC bypass method, reflective DLL loading, file less execution and steganography.
The Qihoo 360 Core Team has not revealed the exact details of the attacks. Microsoft has neither confirmed nor denied the results of Qihoo 360 Core. The company has issued the following statement.
Windows is committed to investigating reported security issues and proactively updating affected devices as quickly as possible. We recommend our customers to use Windows 10 and the Microsoft Edge Browser for the best protection. Our standard policy is to remedy our current update Tuesday schedule.
That's more than thin, of course. The Qihoo 360 Core Team is also silent about a request for further information about the APT Group.
Advertising