The new version of the RIG exploit kit which is used by cybercriminals mainly to launch huge scale drive-by download attacks is currently exploiting a vulnerability in Internet Explorer. This will only affect unpatched versions of the IE.
The flaw was identified by CVE-2018-8174 which is located in the Windows VBScript Engine which can be exploited using Internet Explorer or the applications that use the Engine in their code. The flaw was discovered in April by researchers at Qihoo 360 in a targeted attack which used a malicious Word document embedded with a malicious payload.
The attack was believed to be launched from a North Korean hacking group. Microsoft fixed the flaw on Tuesday, May 8th.
Security researchers from various companies have released a more detailed analysis and the proof-of-concept code has been posted on Github. Additionally a module is being developed for the popular Metasploit security testing framework. The RIGs team took advantage of public research and integrated the exploit into their toolkit.
“As with its previous campaigns, Rig’s Seamless campaign uses malvertising,” researchers from antivirus firm Trend Micro said in a blog post. “In this case, the malvertisements have a hidden iframe that redirects victims to Rig’s landing page, which includes an exploit for CVE-2018-8174 and shellcode. This enables remote code execution of the shellcode obfuscated in the landing page.”
Upon successful exploit, the shellcode is downloaded and a second-stage component called SmokeLoader that acts as a malware downloader that downloads a malicious payload which uses the computers resources to mine cryptocurrency called Monero. However the current situation has changed the malware is being used to install ZeuS banking trojan ransomware and Panda Banker which is also a variant of ZeuS banking trojan.
“Malicious cryptocurrency miners may be less destructive, but their impact is long-term,” the Trend Micro researchers said. “They can remain undetected until telltale signs of infection become more evident, giving cybercriminals time to generate more illicit income.”
Take your time to comment on this article.