RIG exploit kit incorporates Internet Explorer zero-day to deliver Monero miner

Cybercriminals have recently added an Internet Explorer zero-day vulnerability to the RIG exploit kit to deliver Monero miners. Hackers use exploit kits to spread malware via a compromised website using multiple pre-written exploit codes that target insecure or outdated software applications.

In this case, the recently disclosed remote code execution vulnerability is CVE-2018-8174 which was patched by Microsoft in the May 2018 Patch Tuesday security updates released on May 8. The vulnerability impacts systems running Windows 7 and later operating systems while the exploit targets VBScript - the Visual Basic scripting engine in Internet Explorer and Microsoft Office.

In April, security researchers from Qihoo 360's Core security unit, who first disclosed the vulnerability, said a well-resourced advanced persistent threat (APT) were using the zero-day flaw to infect Windows PCs on a "global scale". Researchers said the group was using malicious Office documents loaded with the "double-kill" vulnerability.

Following the release of Microsoft's security updates, Kaspersky and Malwarebytes researchers published detailed analysis of the vulnerability. Morphisec security researcher Michael Gorelik also released a proof-of-concept code on Github as well. However, these in-depth technical reports paired with the PoC code have also proven useful to cybercriminals as well.

Security researcher Kaffeine and Trend Micro researchers said vulnerability has been incorporated by the RIG exploit kit and is being actively exploited in the wild.

"Rig was noted to deliver payloads such as the GandCrab ransomware and Panda Banker (a variant of the ZeuS banking trojan)," Trend Micro researchers said in a blog post published Friday. "It’s not a surprising move, given the popularity (and potential profit) of cryptocurrency mining. Malicious cryptocurrency miners may be less destructive, but their impact is long-term. They can remain undetected until telltale signs of infection become more evident, giving cybercriminals time to generate more illicit income."

Rig's Seamless campaign uses malvertisements with a hidden iframe to redirect victims to Rig's landing page. This page includes an exploit for CVE-2018-8174 and shell code along with other exploits as well. RIG then tries to exploit the Internet Explorer vulnerability and infect the victim with the SmokeLoader malware. SmokeLoader is actually a malware dropper capable of downloading and executing additional payloads, in this case, a Monero miner.

Rig has become the most active exploit kit so far after other kits seemed to stop activity when cybercriminals switched tactics and operations. However, researchers not that Rig's incorporation of new serious security vulnerabilities so quickly show that "decline in exploit kit activity does not mean they're dead."

"Other cybercriminals take this as an opportunity to fine-tune their tools and techniques," researchers explained. "Last April, for instance, we saw Rig employing an exploit for CVE-2018-4878 (patched last February), a use-after-free vulnerability in Adobe Flash, to replace their exploit for CVE-2015-8651. With this modus, we assume that its exploit for CVE-2018-8174 is a replacement for the previous exploit for CVE-2016-0189.

"Exploit kits can expose victims to multifarious threats — from information theft and file encryption to malicious cryptocurrency mining. Regularly applying the latest patches is an effective defense."