Microsoft Patches IE Zero-Day Dubbed “Double Kill”

Threat Summary

On May 8^th 2018 , Microsoft released critical security updates to patch a Remote Code Execution (RCE) vulnerability in the VBScript engine. The APT attack was discovered in the wild by Chinese antivirus company Qihoo 360 Core in late April targeting trade agencies in China via phishing campaigns. The attack exploits a Use-After-Free (UAF) memory corruption vulnerability (CVE-2018-8174) in the way Microsoft’s VBScript engine handles objects in memory, allowing an attacker to download and execute arbitrary code.

The sample that our labs team analyzed was an adapted proof-of-concept (POC) released by Kaspersky labs in their detailed technical analysis of the attack. The POC follows the same infection chain as Qihoo 360 Core’s discovery in late April where a Rich Text Format (RTF) word document leveraged IE to load the exploit. Even if IE isn’t your default browser, you’re still very much at risk as IE can be forced via specially crafted methods as the threat actors demonstrated with their OLE embedded document. Sending their victims a bare link would have been successful as long as their default browser was IE, but since variances in browser preference would have greatly limited their target scope, the adversary used a clever trick to force IE to load the exploit by taking advantage of a URL Moniker function/feature (HTTP Content-Type “text/html”) embedded into the word document.

We expect to see this exploit and delivery method to be utilized much more in upcoming phishing and malware campaigns, especially now that a Metasploit module was released and several POC exploits have surfaced.

Threat Prevention

The most effective prevention is of course to apply the critical security updates released by Microsoft on May 8^th, which patches the vulnerable VBScript engine in all currently supported versions of Windows.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8174

Additionally, it is a best practice to disable the default setting “update automatic links at open” as described in one of our previous blog posts https://www.vertekmti.com/malware-distributed-via-ms-office-dde-feature-no-macros-required/ where you’ll also find information for enforcing this setting via group policy across your Active Directory environment.

By disabling “update automatic links at open”, the user will not be prompted with a choice of fetching the payload if they accidently open one of these documents.

Update 5/25/18: That didn’t take long. Researchers have observed RIG using code to exploit CVE-2018-8174 against IE11 on Windows 7. More here: https://malware.dontneedcoffee.com/2018/05/CVE-2018-8174.html