An Internet Explorer zero-day vulnerability that came to light last month has now been incorporated in the RIG exploit kit, a web-based toolkit that malware authors use to infect a site's visitors with malware.
The vulnerability in question is CVE-2018-8174. This vulnerability affects VBScript, the Visual Basic scripting engine that's included with Internet Explorer and Microsoft Office.
On April 20, Bleeping Computer learned from a Chinese security researcher that a cyber-espionage group was using this vulnerability to infect users via Internet Explorer, as part of a series of attacks conducted by what later proved to be a North Korean state-sponsored hacking group.
Security researchers from Qihoo 360, who first spotted these attacks, reported the vulnerability to Microsoft, and the company patched the bug in the May 2018 Patch Tuesday security updates, released on May 8.
But as it happened many times in the past, the publication of these technical write-ups and PoC code have also helped malware authors, not just security researchers.
For over a week now, the RIG exploit kit has been featuring a new exploit in its arsenal of weaponized vulnerabilities.
Crooks are hijacking the traffic of legitimate sites and redirecting IE users to web pages hosting the RIG exploit kit, where RIG tries to infect the victim with the Smoke Loader malware, by exploiting the CVE-2018-8174 vulnerability in IE's VBScript engine.
Smoke Loader is known as a "malware dropper," and upon further instructions, it will download and install another malware on users' computers, one that secretly mines for cryptocurrencies on users' PC.
While in the beginning, North Korean hackers have used CVE-2018-8174 to target people of interest to the Pyongyang regime, now this former zero-day is following the pattern of all zero-days before it, and has entered the public space and exploitation chain of the RIG EK, where it's being used to target all users, not just a selected few.
As Malwarebytes, Trend Micro, and Kafeine have pointed out, the addition of CVE-2018-8174 breathes some life back into the RIG EK, which previously hasn't seen any new updates for more than a year.