Mysterious “double kill” Word/IE zero-day allegedly in the wild as phishing attack


“Double kill” is a bragging term from the world of violent video gaming – it means you finished off two assailants with a single shot.

In the world of cybercrime, it’s the name given by Chinese computer security company Qihoo to what it claims is an Internet Explorer zero-day hole that’s being actively exploited in the wild.

Unfortunately, in this case, Qihoo isn’t giving much away: we’ve seen only very sketchy details of how the “double kill” exploit works, or what you could look out for if an attacker tried to use the exploit against you.

All we know so far is that a “double kill” attack starts with a Word document, presumably sent as a phishing email attachment.

If you open the booby-trapped document, which is denoted by Qihoo as containing some unspecified sort of shellcode, Internet Explorer is apparently activated in the background, ultimately leading to an executable program being downloaded and executed without any visible warning.

According to Qihoo, this is

"The first Office Document based exploit that uses a browser zero-day vulnerability to carry out the attack. Opening a malicious Office document may cause infection with a Trojan horse that can take full control of the victim’s computer […] Hackers carried out the APT attack by delivering Office documents containing malicious webpages. When affected users opened the documents, malicious scripts and payloads using the vulnerability were downloaded from a remote host and executed."

What we don’t yet know is:

  • Which document file formats (e.g. RTF, DOC, DOCX, XLS, XLSX, PPT, PPTX) can be used to trigger this vulnerability.
  • Whether the booby-trapped Office files contain macros or other active scripting that could be detected and blocked generically to reduce the risk of attack, at least until specific details are available.
  • Whether Office is required to make the exploit work, or whether other applications might be able to trigger it too, such as PDF readers or video players.
  • How Internet Explorer comes into the attack.

More technical background at Sophos' NakedSecurity blog. In any case it seems like an excellent idea to test your users and check if they would fall for a phishing attack like this. 

Free Phishing Security Test

Did you know that 91% of successful data breaches started with a spear-phishing attack?

Cyber-attacks are rapidly getting more sophisticated. We help you train your employees to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks. Take the first step now. Find out what percentage of your employees are Phish-prone with our new, improved free test. 

Get Your Free PST Now

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Topics: Phishing

Subscribe To Our Blog

Weak Password Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews