Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    Mysterious “double kill” Word/IE zero-day allegedly in the wild as phishing attack

    Double_Kill

    “Double kill” is a bragging term from the world of violent video gaming – it means you finished off two assailants with a single shot.

    In the world of cybercrime, it’s the name given by Chinese computer security company Qihoo to what it claims is an Internet Explorer zero-day hole that’s being actively exploited in the wild.

    Unfortunately, in this case, Qihoo isn’t giving much away: we’ve seen only very sketchy details of how the “double kill” exploit works, or what you could look out for if an attacker tried to use the exploit against you.

    All we know so far is that a “double kill” attack starts with a Word document, presumably sent as a phishing email attachment.

    If you open the booby-trapped document, which is denoted by Qihoo as containing some unspecified sort of shellcode, Internet Explorer is apparently activated in the background, ultimately leading to an executable program being downloaded and executed without any visible warning.

    According to Qihoo, this is

    "The first Office Document based exploit that uses a browser zero-day vulnerability to carry out the attack. Opening a malicious Office document may cause infection with a Trojan horse that can take full control of the victim’s computer […] Hackers carried out the APT attack by delivering Office documents containing malicious webpages. When affected users opened the documents, malicious scripts and payloads using the vulnerability were downloaded from a remote host and executed."

    What we don’t yet know is:

    • Which document file formats (e.g. RTF, DOC, DOCX, XLS, XLSX, PPT, PPTX) can be used to trigger this vulnerability.
    • Whether the booby-trapped Office files contain macros or other active scripting that could be detected and blocked generically to reduce the risk of attack, at least until specific details are available.
    • Whether Office is required to make the exploit work, or whether other applications might be able to trigger it too, such as PDF readers or video players.
    • How Internet Explorer comes into the attack.

    More technical background at Sophos' NakedSecurity blog. In any case it seems like an excellent idea to test your users and check if they would fall for a phishing attack like this. 

    Free Phishing Security Test

    Did you know that 91% of successful data breaches started with a spear-phishing attack?

    Cyber-attacks are rapidly getting more sophisticated. We help you train your employees to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks. Take the first step now. Find out what percentage of your employees are Phish-prone with our new, improved free test. 

    Get Your Free PST Now

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://www.knowbe4.com/phishing-security-test-offer

     

     

    Return To KnowBe4 Security Blog

    Topics: Phishing

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews