‘Double Kill’ Zero-day is Used in an APT Campaign

Delaware, USA – April 23, 2018 – The Qihoo 360 team discovered an APT campaign organized by unknown threat actor, which leverages a zero-day vulnerability in Internet Explorer to infect users with malware. Details have not been disclosed, but it is known that vulnerability dubbed “Double Kill” is in the IE kernel code. It affects the latest versions of the browser and other applications that use the Internet Explorer kernel. Attackers send phishing emails with an attached malicious document containing a web page. While opening, the document exploits a zero-day vulnerability for downloading and executing malware. Attackers also use a number of other advanced techniques, including fileless execution, steganography and User Account Control bypass.

Qihoo 360 informed Microsoft about the vulnerability, but it is not known whether an emergency update will be released. In its response, Microsoft recommends using the latest versions of the operating system and browser and also promises to investigate the information received.

Despite the fact that details about Double Kill are unknown, we can assume that Edge browser is also vulnerable. Prior to the release of the security update, it is desirable to strengthen control over the security of MS Windows systems and install the patch immediately after its release. You can empower your SIEM detection capabilities with Windows Security Monitor and Sysmon Framework use cases that help detect anomalies and suspicious activity on Windows hosts.