According to security researchers at Chinese web giant Quihoo 360, hackers are using a zero-day vulnerability in Internet Explorer kernel code to infect Windows computers with malware.
The researchers say that an advanced persistent threat (APT) group is using the vulnerability to infect victims on a global scale by sending malicious Office documents to selected targets.
We uncovered an IE 0day vulnerability has been embedded in malicious MS Office document, targeting limited users by a known APT actor.Details reported to MSRC @msftsecresponse— 360 Core Security (@360CoreSec) April 20, 2018
These documents are loaded with what they call a "double-kill" vulnerability, which affects the latest versions of Internet Explorer and any other applications that use IE kernel. When victims open the office document, the bug launches a malicious webpage in the background to deliver malware from a remote server.
"After the target opens the document, all exploit code and malicious payloads are loaded from a remote server," the researchers wrote in a blog post on the Chinese platform Weibo.
The researchers said that the attack involves the use of a public User Account Control (UAC) bypass, reflective DLL loading, fileless execution, and steganography; they also provided a diagram that roughly outlines the attack, with Chinese annotations.
The company says that it has reported the vulnerability to Microsoft and will be giving them appropriate time to find a patch before it reveals more details about the bug.
Microsoft has neither confirmed nor denied the attacks, but has given the following statement:
Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide remediation via our current Update Tuesday schedule.
