Windows 10 News and info | Forum
June 05, 2020, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: IE Zero-Day Adopted by RIG Exploit Kit After Publication of PoC Code  (Read 306 times)
Hero Member
Offline Offline

Gender: Male
United States United States

Posts: 31461

I Do Windows

WWW Email
« on: June 02, 2018, 03:13:49 AM »

An Internet Explorer zero-day vulnerability that came to light last month has now been incorporated in the RIG exploit kit, a web-based toolkit that malware authors use to infect a site's visitors with malware.

The vulnerability in question is CVE-2018-8174. This vulnerability affects VBScript, the Visual Basic scripting engine that's included with Internet Explorer and Microsoft Office.

On April 20, Bleeping Computer learned from a Chinese security researcher that a cyber-espionage group was using this vulnerability to infect users via Internet Explorer, as part of a series of attacks conducted by what later proved to be a North Korean state-sponsored hacking group.

Security researchers from Qihoo 360, who first spotted these attacks, reported the vulnerability to Microsoft, and the company patched the bug in the May 2018 Patch Tuesday security updates, released on May 8.

Write-ups and PoC lead to RIG EK incorporation

Subsequent write-ups from Qihoo 360 [1, 2, 3], Kaspersky Lab, and Malwarebytes revealed more details about the zero-day's new exploitation chain, which Qihoo researchers dubbed "double kill."

These write-ups were also at the base of a proof-of-concept (PoC) code released on GitHub by Morphisec security researcher Michael Gorelik. A Metasploit module was released shortly after.

But as it happened many times in the past, the publication of these technical write-ups and PoC code have also helped malware authors, not just security researchers.

For over a week now, the RIG exploit kit has been featuring a new exploit in its arsenal of weaponized vulnerabilities.

CVE-2018-8174 used to push coinminer

First spotted by security researcher Kaffeine and later confirmed by Trend Micro, the RIG exploit kit is now using CVE-2018-8174 to infect users of Internet Explorer with malware.

Crooks are hijacking the traffic of legitimate sites and redirecting IE users to web pages hosting the RIG exploit kit, where RIG tries to infect the victim with the Smoke Loader malware, by exploiting the CVE-2018-8174 vulnerability in IE's VBScript engine.

Smoke Loader is known as a "malware dropper," and upon further instructions, it will download and install another malware on users' computers, one that secretly mines for cryptocurrencies on users' PC.

CVE-2018-8174 breathes new life into RIG EK operations

While in the beginning, North Korean hackers have used CVE-2018-8174 to target people of interest to the Pyongyang regime, now this former zero-day is following the pattern of all zero-days before it, and has entered the public space and exploitation chain of the RIG EK, where it's being used to target all users, not just a selected few.

As Malwarebytes, Trend Micro, and Kafeine have pointed out, the addition of CVE-2018-8174 breathes some life back into the RIG EK, which previously hasn't seen any new updates for more than a year.

Furthermore, recent evidence suggests that besides RIG, CVE-2018-8174 is now also used by Cobalt, a well-known hacking group that targets banks and the financial sector

« Last Edit: June 03, 2018, 01:30:43 AM by javajolt » Logged

Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page April 03, 2020, 11:48:34 AM