Double Kill Exploit Jumps From Office To Explorer - Report By Marina Kidron, Director of Threat Intelligence in the Skybox Research Lab

~The Double Kill exploit of a VBScript Engine vulnerability uses a first-of-its-kind attack method we’ll likely see more of in the future~

This month, Microsoft released a patch for the zero-day vulnerability (CVE-2018-8174) — central to the Double Kill exploit — affecting VBScript Engine. In this coordinated release, Qihoo 360 researchers discovered that it was exploited in the wild as early as April 18, 2018, allowing code execution by remote attackers. The vulnerability was used to install a backdoor probably used for cyber-espionage. This is considered the highest priority update among those issued in May.

CVE-2018-8174 Affects All Windows OS

According to SecureList, the vulnerability in the VBScript Engine allows a remote attacker to execute arbitrary code. The affected software is not only Internet Explorer itself but can also be used by other applications based on the Internet Explorer kernel. Moreover, because Internet Explorer can be invoked from various applications like Microsoft Office; all Microsoft Windows operating systems are considered affected.

The incident identified by researchers was catalyzed by an RTF file, but other file types could be used to the same effect. That file, when opened by a user, downloads an HTML page containing malicious code packaged as an MSHTML type object, which is not blacklisted by the VBScript Engine as some other object types are — specifically to prevent this type of attack.

Unique Infection Method Sees Jump from Office to Internet Explorer

When the Windows user opens an RTF file with Microsoft Word, or by visiting a specially crafted website, the attack is set in motion. The current attack differentiates itself from similar attacks by loading an HTML page containing VBScript, which bypasses filters looking for suspicious application file types, and is executed by the VBScript Engine.

This hop from Microsoft Office into the Internet Explorer kernel is the defining weak point for the vulnerability under consideration and has never been seen in exploit code before. Its revelation may, therefore, open the door to similar plans of attack by other threats.

Double Kill Exploit

The exploit, dubbed "Double Kill," so far has been used in targeted attacks only. Double Kill sets up multiple backdoors on the target machines, enabling them to receive more commands after the initial intrusion is completed. Based on past activities of the presumptive author of the exploit code, APT-C-06, these mechanisms are likely deployed to exfiltrate information from selected targets.

The attribution for this attack was due to its use of the "retro" backdoor, whose name derives directly from its source code implanted by APT-C-06 in the past. One of the malware sample studies was also consistent with several years' worth of APT-C-06 products on one infected machine examined by researchers.

The malicious script is hidden under layers of obfuscation and misdirection designed to evade reverse engineering by analysts even after it’s discovered. These techniques include image steganography to conceal the parameters used to communicate back to the home base, programs disguised as benign applications such as ssh and zlib, and byte-replacement encryption to make found code unrecognizable. The latter method is one of the clues that were used to attribute this attack to APT-C-06, an active threat actor since 2007 mainly targeting victims in China. This malware sample was found to use same the decryption scheme implemented by APT-C-06 in the past.

As Double Kill was already used in the wild, it’s only a matter of time until others close the gap and use this exploit for other, less targeted intents.

How Skybox Can Help

Skybox Security can help you quickly identify a vulnerability (like Double Kill)in your network and make recommendations for patching or other forms of mitigation based on the security controls such as firewalls and intrusion prevention systems (IPS) already in place. We do this by analyzing information around vulnerability in the Skybox Research Lab. A team of security analysts scours dozens of public and private security data sources daily and investigates sites on the dark web. 

This work is the foundation of the free and unrestricted Skybox Vulnerability Center and the intelligence feed of our product suite, putting analyst–validated, current threat intelligence at our customers’ fingertips. The Research Lab also provides vulnerability information regarding exploitability levels, exploitation preconditions and effects, and configure attack patterns to be used in Skybox’s patented attack simulations.

The Skybox Vulnerability Center, which currently publishes information on the Double Kill vulnerability, is used in our scanless vulnerability assessments to deduce the presence of vulnerability in a customer environment without running an active scan. Vulnerability occurrences are then layered into to our attack surface model which includes network topology, security controls and assets. Attack simulations are performed on the model using the intelligence feed data to identify vulnerable assets directly or indirectly exposed to a potential attack. Also, the intelligence feed can provide insights to determine which vulnerability occurrences are under active exploit in the wild, have sample exploit codes available or are packaged in crimeware such as ransomware, exploit kits and other threats.

Skybox allows you to respond quickly to threat intelligence such as the Double Kill exploit, in the context of your network. Instead of focusing on vulnerability severity alone, Skybox analyzes more factors than any other solution to determine the risk vulnerability poses.

For more information go to: skyboxsecurity.com.

May 30th, 2018

By Marina Kidron, Director of Threat Intelligence in the Skybox Research Lab