Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

New IE 0-day in the wild

Published: 2018-04-23
Last Updated: 2018-04-23 14:10:40 UTC
by Didier Stevens (Version: 1)
2 comment(s)

Qihoo 360 Technology, a Chinese internet security company, published a report for a new Internet Explorer zero-day exploit it has seen exploited in the wild by an (unmentioned) APT group. Qihoo 360 has reported this to Microsoft on 4/19/2018. We have no news from Microsoft.

The report can be found here (Standard Chinese).

Although the report does not contain much technical details, there is a diagram of the kill chain that we have translated here:

It seems that the initial attack, detected by Qihoo 360, used a Microsoft Office document containing a web page. The vulnerability seems to be in the Internet Explorer engine, and could thus be exploited via any application that uses the IE engine.

We will post more news as it becomes available.

Didier Stevens
Microsoft MVP Consumer Security

Keywords: 0day apt ie
2 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

A malicious word document with a VBA form - video
Apr 21st 2018
1 day ago by DidierStevens (0 comments)

Malspam pushing ransomware using two layers of password protection to avoid detection
Apr 20th 2018
3 days ago by Brad (0 comments)

Back to Basics: Backups and Data Recovery "The Home Office Edition"
Apr 19th 2018
3 days ago by Richard (2 comments)

Webshell looking for interesting files
Apr 18th 2018
5 days ago by Xme (0 comments)

A Review of Recent Drupal Attacks (CVE-2018-7600)
Apr 17th 2018
6 days ago by Johannes (0 comments)

A malicious word document with a VBA form
Apr 16th 2018
6 days ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

MinerPool Threat Feed info
created Apr 4th 2018
2 weeks ago by Anonymous (0 replies)

DShield on RPi returns no mySQL when running /home/pi/install/dshield/bin/
created Mar 29th 2018
3 weeks ago by nekton89 (0 replies)

Splunk: Any way to fetch logs via ssh
created Mar 15th 2018
1 month ago by Anonymous (2 replies)

Possible new worm activity
created Mar 13th 2018
1 month ago by Anonymous (0 replies)

Detecting the memcached issue
created Mar 9th 2018
1 month ago by David (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
9 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
8 months ago by Johannes (16 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
7 months ago by Renato (0 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
4 months ago by Russ McRee (2 comments)

Maldoc with auto-updated link
Aug 17th 2017
8 months ago by Xme (2 comments)