Security researchers have been following the activity surrounding the infamous Rig exploit kit. In these campaigns, attackers are compromising websites to inject a malicious script that redirects potential victims to the EK’s landing page. This attack scenario slightly changed in March last year where Rig was detected in the so-called Seamless campaign where another layer was added before landing on the exploit kit’s page.
Besides the code updates, security researchers observed Rig implementing a cryptocurrency miner as the final payload of the operation. According to Trend Micro, Rig operators have now added a particular vulnerability to their exploit arsenal – CVE-2018-8174. This flaw is the remote execution type and was reported to be actively exploited in May. The vulnerability affects systems running Windows 7 and later, and it uses Internet Explorer and Microsoft Office documents using the vulnerable script engine.
CVE-2018-8174 Official Description
A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
The campaigns of Rig EK are not that surprising at all – having in mind that the EK landscape drastically changed with the thwarting of some of the biggest exploit kits. As a result, Rig became the most prevalent one, using a variety of vulnerabilities, both old and new. One of the older flaws used by Rig’s operators is CVE-2015-8651, an old code execution vulnerability in Adobe Flash that other exploits kits also employ.
What have Rig EK operators been doing lately?
In the case of the CVE-2018-8174 campaign, deployed malvertisements have a hidden iframe that redirects victims to Rig’s landing page, which includes an exploit for CVE-2018-8174 and shellcode, Trend Micro wrote. This scenario makes remote code execution possible via the execution of the shellcode obfuscated in the landing page. After successful exploitation, a second-stage downloader is retrieved, which is most likely a variant of SmokeLoader due to the URL. The final stage is the download of the final payload, a Monero miner.
How to Protect against Exploit Kits, Cryptocurrency Miners and Malware?
Since EKs are known to bring a variety of threats to victims, protection should be a priority. Rig EK has been using vulnerabilities in its campaigns meaning that that timely patching should be rule of thumb. Here are some other useful tips to increase protection against such attacks:
- Virtual patching for safeguarding legacy systems and networks;
- Enabling and deploying firewalls and intrusion detection and prevention systems;
- Employing application control to mitigate unauthorized access and privilege;
- Restricting or disabling the use of unnecessary or outdated plug-ins, extensions or applications that may be used as entry points.
For home users the employment of anti-malware protection is also advisable.
SpyHunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter