Zero-Day In Microsoft’s VBScript Engine Used By Darkhotel APT
A vulnerability in the VBScript engine has been used by hackers working for North Korea to compromise systems targeted by the Darkhotel operation.
VBScript is available in the latest versions of Windows and in Internet Explorer 11. In recent versions of Windows, though, Microsoft disabled execution of VBScript in the default configuration of its browser, making it immune to the vulnerability.
There are other methods to load scripts, though. For instance, applications in the Office suite rely on the IE engine to load and render web content.
Security researchers from Trend Micro noticed a VBScript vulnerability being exploited in the wild a day after Microsoft delivered its regular updates for Windows in July. Now tracked as CVE-2018-8373, the bug has been addressed in this month’s patch delivery. It is a use-after-free memory corruption that allows the attacker to run shellcode on the compromised computer.
After analyzing the exploit code, researchers discovered that it shared the obfuscation technique used by exploits for an older VBScript vulnerability also used in the wild and patched in May, CVE-2018-8174. Also known as Double Kill, the vulnerability was reported by experts at Chinese security company Qihoo 360.
shellcode run by the two exploits
The common ground led them to consider that the exploits may have the same origin, says Elliot Cao of Trend Micro Security Research.
Researchers from Qihoo 360 offer additional arguments in support of this theory In a blog post published today, they point out that Trend Micro’s analysis of CVE-2018-8373 referenced the same domain name embedded in Office documents to download Double Kill exploit code.
Double Kill – domain name hosting malicious VBScript
Back in May, Qihoo 360 experts analyzed Double Kill and confirmed its association with the Darkhotel group (APT-C-06). Their firm attribution relied on tool and methods they already knew were used by the threat actor.
“During the analysis, we found the decryption algorithm that malware used is identical to APT-C-06’s decryption algorithm,” they wrote at the time, adding that it ran cyberespionage operations and that China was among its main targets.
Kaspersky Labs brought Darkhotel to light in 2014 and traced its activity as early as 2007. The experts described it as a long-running operation that targeted business executives and representatives of government organizations staying at luxury Asian hotels.
The use of zero-day vulnerabilities in renown products suggested that Darkhotel was a highly professional group or were supported by a rich sponsor.
A joint research from McAfee and Intezer earlier this month made clear that Darkhotel has ties with the DPRK (Democratic People’s Republic of Korea). The joint operation analyzed malware from various campaigns associated with North Korea. Checking unique code shared by tools used between 2009 and 2017, the researchers created a map that connects malware families.
According to this research, Darkhotel is directly related to Dark Seoul malware, which is tied to Operation Blockbuster – the Sony Pictures hack the FBI attributed unequivocally to DPRK-endorsed hackers.