IE logo

An advanced persistent threat (APT), a term sometimes used to describe nation-state-backed cyber-espionage units, is using a zero-day vulnerability in the Internet Explorer kernel code to infect victims with malware.

Security researchers from Chinese antivirus maker Qihoo 360 Core have reported the issue to Microsoft this week, Bleeping Computer has learned from a member of the Qihoo 360 team.

The zero-day has been deployed in live attacks, as part of Office documents sent to selected targets.

Latest versions of IE browser affected, possibly other apps

The Qihoo 360 Core team said the zero-day uses a so-called "double kill" vulnerability that affects the latest versions of Internet Explorer and any other applications that use the IE kernel.

"After the target opens the document, all exploit code and malicious payloads are loaded from a remote server," researchers wrote today in a blog post on the Weibo micro-blogging platform.

Researchers said the attack involves the use of a public UAC bypass, reflective DLL loading, fileless execution, and steganography.

The Qihoo 360 Core team has not revealed the exact exploitation chain, apart from an image shared on Weibo.

IE zero-day
Image credits: Qihoo 360 Core; Translated: @Viking_Sec

Microsoft mum on today's disclosure

In typical Microsoft fashion, the company has not confirmed or denied Qihoo 360 Core's findings. The company has sent over the following canned statement.

Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide remediation via our current Update Tuesday schedule.

The Qihoo 360 Core team has not answered a request for comment for more details on the APT group prior to this article's publication.

Related Articles:

That IE Zero-Day From May Needed a Second Patch in July

Microsoft August 2018 Patch Tuesday Fixes 60 Security Flaws, Including Two Zero-Days

New "Turning Tables" Technique Bypasses All Windows Kernel Mitigations

Zero-Day In Microsoft's VBScript Engine Used By Darkhotel APT

Windows 10 Screen Sketch App Renamed to Snip & Sketch in Insider Builds