lolloj - Fotolia

How does the APT attack Double Kill work in Office documents?

The Qihoo 360 Core Security team found a Microsoft vulnerability -- named Double Kill -- that affects applications via Office documents. Learn how this is possible with Nick Lewis.

Microsoft patched a zero-day vulnerability known as Double Kill that affects Internet Explorer and other applications using Office documents. How does the Double Kill exploit work and why is it so difficult to detect?

Advanced persistent threat (APT) attacks usually display a level of technical sophistication that isn't observed in more common criminal attacks; however, they do use a very similar framework. Many attacks use phishing techniques to get the target to open a malicious file that then downloads a tool to download a Trojan that takes over the system and communicates with a command-and-control server.

While more common attacks don't typically use zero-days, APT groups do use zero-day exploits, when necessary, because the groups have the resources and skills to find or purchase them.

One APT attack that exploited an Internet Explorer zero-day vulnerability in a multistage attack was identified by the Qihoo 360 Core Security team and named Double Kill. While the researchers didn't identify how the malicious Microsoft Office file got to the target, it is thought to have been through standard phishing.

The Qihoo 360 Core Security team provided additional details about the Double Kill vulnerability after Microsoft released a patch for the vulnerability. The malicious Office document includes Object Linking and Embedding auto-link objects that embed the document used to open a website with the Internet Explorer VBScript engine. This can trigger the exploit and eventually execute a PowerShell command on the file system.

The APT attack continues by using extensive obfuscation to hide itself by further encrypting the payload used in the exploit to install the Trojan, making it more difficult to analyze or detect. Memory reflection uploading is then used to execute code in the exploit. It does not require a file on the local system to execute, but image steganography is used in the attack to identify the C&C server.

It should also be noted that later in the APT attack, multiple files are downloaded or created on the system to execute on the local system.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Dig Deeper on Application and platform security