Crooks included the code for CVE-2018-8174 IE Zero-Day in the RIG Exploit Kit

Cyber criminals recently added the code for the CVE-2018-8174 Internet Explorer zero-day vulnerability to the infamous RIG exploit kit.

Crooks recently added the code for an Internet Explorer zero-day vulnerability to the infamous RIG exploit kit.

The Internet Explorer zero-day vulnerability, tracked as CVE-2018-8174, was first discovered a few weeks ago, it affects VBScript implemented in Internet Explorer and Microsoft Office.

Researchers from Advanced Threat Response Team of 360 Core Security Division first reported the zero-day

In May, the Advanced Threat Response Team of 360 Core Security Division detected an APT attack exploiting a 0-day vulnerability and captured the world’s first malicious sample that uses it. The experts codenamed the vulnerability as “double kill” exploit.

Qihoo 360 researchers reported the vulnerability to Microsoft that addressed the flaw in the May 2018 Patch Tuesday security updates.

After the release of the security updates, on May 8, experts from Kaspersky Lab and Malwarebytes published a detailed analysis of the vulnerability, while researchers from Morphisec security firm released a proof-of-concept (PoC) code.

Experts released a Metasploit module for the exploitation of the CVE-2018-8174 once the PoC code was available online.

The availability of the PoC code for the vulnerability is a gift for vxers, in the specific case, the crooks included the code for the CVE-2018-8174 flaw in the RIG exploit kit.

“A Proof of Concept for Internet Explorer 11 on Windows 7 has been shared publicly 3 days ago, it’s now beeing integrated in Browser Exploit Kits.” wrote the security researcher Kafeine.

“This will replace CVE-2016-0189 from july 2016 and might shake the Drive-By landscape for the coming months.”

Researchers from Trend Micro also observed that the RIG Exploit Kit is now leveraging CVE-2018-8174 to deliver Monero cryptocurrency miner.

“Along with updates in code, we also observed Rig integrating a cryptocurrency-mining malware as its final payload.” reads the analysis from Trend Micro.

“Based on the latest activities we’ve observed from Rig, they’re now also exploiting CVE-2018-8174, a remote code execution vulnerability patched in May and reported to be actively exploited.”

Cyber criminals were hijacking the traffic of legitimate sites and redirecting IE users to compromised websites hosting the RIG exploit kit. The RIG exploit kit was used to drop the Smoke Loader malware, a tiny dropper used to install on the infected system a cryptocurrency miner.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – CVE-2018-8174, RIG EK)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.