The Chinese researchers who discovered attacks using Microsoft’s just patched Windows Visual Basic Script (VBScript) flaw claim the attackers were non-Chinese state-sponsored hackers that have been targeting the Chinese government for the past decade.
Researchers at Qihoo 360 Core Security have released their English language assessment of attacks they discovered in April that used a then unknown flaw to compromise targets using an Internet Explorer exploit dubbed “Double Kill” that was delivered in an Office document.
Microsoft credited the Chinese research team and Kaspersky Lab analysts with finding a VBScript flaw — tracked as CVE-2018-8174 — patched in Microsoft’s Tuesday May update.
Microsoft didn’t confirm it was the same issue revealed in April, however the Qihoo 360 Core Security team say it definitely was the bug it reported, which aligns with Kaspersky Lab’s conclusions in its report on the flaw it was credited with finding.
Both reports clarified the attacks were embedded in a Word document and commonly cite the use of variations on an Office flaw (CVE-2017-0199). Microsoft patched this bug in April 2017 to block a then zero-day attack, which similarly used VBScript with PowerShell commands to deliver malware via a Word document with an embedded exploit.
Kaspersky notes there was some confusion over the origin of CVE-2018-8174 due to Qihoo 360’s initial Chinese-only report, which seemed to suggested an IE flaw was being exploited as opposed to a vulnerability in the Windows VBScript engine.
This is the first time a public exploit has been observed using a "URL moniker" to load an IE exploit in a Word document, which is notable because it allowed the attackers to force IE to load even when the target had set Chrome or Firefox as the default browser, according to Kaspersky.
In turn, this allowed the attackers to leverage the Windows VBScript engine flaw through IE in circumstances it wouldn’t otherwise apply. Because of this Kaspersky expects cybercriminals to adopt the technique in drive-by attacks on browsers and via spear-phishing documents.
As for targets of of the first attacks using the VBScript flaw, most victims were organizations in Chinese provinces involved in foreign trade activities, according to Qihoo 360 Core Security.
The Word document bait it found was, interestingly, written in Yiddish, which might suggest a connection to Israel -- and could easily be a red-herring.
The Chinese researchers steer clear of overtly attributing the attack to a specific country but say that while researching victims it found “one special compromised machine” that had a large amount of malware it attributes to a group it calls “APT-C-06”. The researchers link this advanced persistent threat (APT) group to DarkHotel — a malware campaign discovered in 2014 by Kaspersky Lab, which found connections with malware developed by South Korean hackers.
“In the process of tracing victims, we found one special compromised machine. It has a large amount of malware related to APT-C-06," Qihoo 360 Core Security notes.
The Chinese researchers see a clear “evolution” in APT-C-06 development of the malware since 2015.
“Based on the evidence we have, the organization may be a hacker group or intelligence agency supported by a foreign government. The attacks against China have never stopped over the past 10 years,” it notes.
Kaspersky’s report does not attempt to attribute the attack to any hacking group or nation.