IE zero-day PoC

An Internet Explorer zero-day vulnerability that came to light last month has now been incorporated in the RIG exploit kit, a web-based toolkit that malware authors use to infect a site's visitors with malware.

The vulnerability in question is CVE-2018-8174. This vulnerability affects VBScript, the Visual Basic scripting engine that's included with Internet Explorer and Microsoft Office.

On April 20, Bleeping Computer learned from a Chinese security researcher that a cyber-espionage group was using this vulnerability to infect users via Internet Explorer, as part of a series of attacks conducted by what later proved to be a North Korean state-sponsored hacking group.

Security researchers from Qihoo 360, who first spotted these attacks, reported the vulnerability to Microsoft, and the company patched the bug in the May 2018 Patch Tuesday security updates, released on May 8.

Write-ups and PoC lead to RIG EK incorporation

Subsequent write-ups from Qihoo 360 [1, 2, 3], Kaspersky Lab, and Malwarebytes revealed more details about the zero-day's new exploitation chain, which Qihoo researchers dubbed "double kill."

These write-ups were also at the base of a proof-of-concept (PoC) code released on GitHub by Morphisec security researcher Michael Gorelik. A Metasploit module was released shortly after.

But as it happened many times in the past, the publication of these technical write-ups and PoC code have also helped malware authors, not just security researchers.

For over a week now, the RIG exploit kit has been featuring a new exploit in its arsenal of weaponized vulnerabilities.

CVE-2018-8174 used to push coinminer

First spotted by security researcher Kaffeine and later confirmed by Trend Micro, the RIG exploit kit is now using CVE-2018-8174 to infect users of Internet Explorer with malware.

Crooks are hijacking the traffic of legitimate sites and redirecting IE users to web pages hosting the RIG exploit kit, where RIG tries to infect the victim with the Smoke Loader malware, by exploiting the CVE-2018-8174 vulnerability in IE's VBScript engine.

Smoke Loader is known as a "malware dropper," and upon further instructions, it will download and install another malware on users' computers, one that secretly mines for cryptocurrencies on users' PC.

CVE-2018-8174 breathes new life into RIG EK operations

While in the beginning, North Korean hackers have used CVE-2018-8174 to target people of interest to the Pyongyang regime, now this former zero-day is following the pattern of all zero-days before it, and has entered the public space and exploitation chain of the RIG EK, where it's being used to target all users, not just a selected few.

As Malwarebytes, Trend Micro, and Kafeine have pointed out, the addition of CVE-2018-8174 breathes some life back into the RIG EK, which previously hasn't seen any new updates for more than a year.

Furthermore, recent evidence suggests that besides RIG, CVE-2018-8174 is now also used by Cobalt, a well-known hacking group that targets banks and the financial sector [1, 2].

Related Articles:

Microsoft Patches Windows Zero-Day Exploited in Cyber Attacks

HookAds Malvertising Installing Malware via the Fallout Exploit Kit

VirtualBox Zero-Day Vulnerability Details and Exploit Are Publicly Available

New Microsoft Edge Browser Zero-Day RCE Exploit in the Works

Attackers Use Zero-Day That Can Restart Cisco Security Appliances