IE logo

An advanced persistent threat (APT), a term sometimes used to describe nation-state-backed cyber-espionage units, is using a zero-day vulnerability in the Internet Explorer kernel code to infect victims with malware.

Security researchers from Chinese antivirus maker Qihoo 360 Core have reported the issue to Microsoft this week, Bleeping Computer has learned from a member of the Qihoo 360 team.

The zero-day has been deployed in live attacks, as part of Office documents sent to selected targets.

Latest versions of IE browser affected, possibly other apps

The Qihoo 360 Core team said the zero-day uses a so-called "double kill" vulnerability that affects the latest versions of Internet Explorer and any other applications that use the IE kernel.

"After the target opens the document, all exploit code and malicious payloads are loaded from a remote server," researchers wrote today in a blog post on the Weibo micro-blogging platform.

Researchers said the attack involves the use of a public UAC bypass, reflective DLL loading, fileless execution, and steganography.

The Qihoo 360 Core team has not revealed the exact exploitation chain, apart from an image shared on Weibo.

IE zero-day
Image credits: Qihoo 360 Core; Translated: @Viking_Sec

Microsoft mum on today's disclosure

In typical Microsoft fashion, the company has not confirmed or denied Qihoo 360 Core's findings. The company has sent over the following canned statement.

Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide remediation via our current Update Tuesday schedule.

The Qihoo 360 Core team has not answered a request for comment for more details on the APT group prior to this article's publication.

Related Articles:

Microsoft May 2018 Patch Tuesday Fixes 67 Security Issues, Including IE Zero-Day

IE Zero-Day Adopted by RIG Exploit Kit After Publication of PoC Code

Office 365 Zero-Day Used in Real-World Phishing Campaigns

Windows 10 Insider Build 17692 Released. Here's Whats New!

Microsoft's SwiftKey Is Becoming the New Touch Keyboard in Windows 10