Use CVE-2018-8373 0day vulnerabilities the attacks the Darkhotel gang-related analysis-vulnerability warning-the black bar safety net

Background
2018 8 on 15 May, the network security company Trend Micro disclosed its in this year 7 month to capture an example in the wild 0day vulnerability to attack, the attack uses the Windows VBScript Engine code execution vulnerability, through the analysis and comparison found that the 0day vulnerability and 2018, the 4 on 360 the company first found to affect the IE browser and through Office documents to attack the“double kill”vulnerability, see reference[1] The use of a plurality of the same attack techniques, is likely to be the same gang responsible.
360 Threat Intelligence Center the first time for the 0day vulnerabilities were analyzed to confirm, and through big data correlation analysis to confirm this 0day in the wild attacks the DarkHotel APT organization of the present Association.

Source
2018 8 May 15, Trend Micro disclosed its in year 7 of the 11 January capture of an example in the wild 0day exploit technical analysis, the vulnerability had been disclosed the day before by Microsoft to repair the vulnerability number is: CVE-2018-8373。

Three“double kill”0day vulnerabilities timeline
CVE-2018-8373 is actually this year was found to affect the Windows VBScript Engine of the third vulnerability, of which the first two are for 360 the company security researchers first discovered that the three vulnerabilities affect IE browser, and can be Microsoft Office document attacks. Three“double kill”0day vulnerability discovery timeline is as follows:
CVE
Find the time
Repair time
Description
CVE-2018-8174
2018.4.18
2018.5.8
Affects Office and IE to double-kill the vulnerability in the wild
CVE-2018-8242
2018.7.10
360 security researchers discovered and reported to Microsoft, reference[2]）
CVE-2018-8373
2018.7.11
2018.8.14
Affects Office and IE to double-kill the vulnerability in the wild

Traceability with associated
Get a code after IOC
360 Threat Intelligence Center through the analysis of big data associated with the first to get a Trend Micro code after the IOC address:
http://windows-updater.net/realmuto/wood.php?who=1???
Association of homologous 0day attack sample
And now a time of attack and the Trend Micro found in the wild“Double kill”0day attack on the same day the suspect used the 0day attack office documents samples, the Offce document samples embedded in the domain and trends of the technology given domain format consistent http://windows-updater.net/stack/ov.php?w= 1\x00who =1）
! [](/Article/UploadPic/2018-8/2018818164226756. png)
Confirm with the DarkHotel Association
Get 0day vulnerability attacks use the domain name after we immediately found that the domain name it is a 360 Threat Intelligence Center in the year 5 month to publish on the DarkHotel APT gang latest attack activity to use the domain name as detailed in reference[4] is:
! [](/Article/UploadPic/2018-8/2018818164226401. png)
! [](/Article/UploadPic/2018-8/2018818164227720. png)
360 Threat Intelligence Center the threat platform enter the domain name will be immediately associated to the DarkHotel: a
! [](/Article/UploadPic/2018-8/2018818164227684. png)
CVE-2018-8373 vulnerability analysis
Shown below is the trend given the corresponding POC to trigger the code:
! [](/Article/UploadPic/2018-8/2018818164227680. png)
As for the vulnerability, and this year 5 on the 360 capture CVE-2018-8174 POC comparison, CVE-2018-8174 main vulnerability is the reason that Class_Terminater can be on the release of the memory object to continue the assignment, resulting in the release of after reuse, and the CVE-2018-8373 is a class of Propert the Get operation can modify the corresponding class of members of the array length, so that the result after the object reuse:
! [](/Article/UploadPic/2018-8/2018818164227915. png)
The following is the corresponding POC code POC code is very simple, VulClass class defined in the array member variable,
Method Class_Initialize and Public Default Property Get P.
Which Class_Initialize is a VB one that has been deprecated methods used in class to create the time to achieve the corresponding operation, the overload can be in the class to create to complete the appropriate initialization work after the is new instead.
The Default Property for a class attribute, is the Public Default Property Get P reload, for the class of access will trigger the appropriate action in the POC that the implementation of ReDim Preserve array(1 to).
ReDim is used to specify the memory reallocation, which is the final in the VB engine through the SafeArrayRedim function, familiar with VB vulnerability, then, can know that the function is before CVE-2015-6332 vulnerability of roots:
! [](/Article/UploadPic/2018-8/2018818164227987. png)
POC first execute the line of code, The new time corresponding to perform the following functions VBScriptClass::InitializeClass, since VulClass class overloads the Class_Initialize method, and therefore by vbscript! CScriptEntryPoint::Call distribute the proceeds to the corresponding coders to achieve the Class_Initialize method:
Set cls = New VulClass
! [](/Article/UploadPic/2018-8/2018818164227605. png)
Class_Initialize method to modify the corresponding array length:
Private Sub Class_Initialize
ReDim array(2)
End Sub
You can see this is generated when the Array object as shown below, the members of which the number of variables is 3, corresponding to the pvData is 0x0514dfd0: the
! [](/Article/UploadPic/2018-8/2018818164228601. png)
After running the following code, The VB engine to parse the following code sequence is from left from right scan, so the first would be the cls. array(2)action:
cls. array(2) = cls
This will call the function vbscript! AccessArray to determine whether the corresponding array（2）whether the access, as shown below at this time to obtain a corresponding array of memory objects:

[1] [2] [3] next