Crooks recently added the code for an Internet Explorer zero-day vulnerability to the infamous RIG exploit kit.
The Internet Explorer zero-day vulnerability, tracked as CVE-2018-8174, was first discovered a few weeks ago, it affects VBScript implemented in Internet Explorer and Microsoft Office.
Researchers from Advanced Threat Response Team of 360 Core Security Division first reported the zero-day
In May, the Advanced Threat Response Team of 360 Core Security Division detected an APT attack exploiting a 0-day vulnerability and captured the world’s first malicious sample that uses it. The experts codenamed the vulnerability as “double kill” exploit.
Qihoo 360 researchers reported the vulnerability to Microsoft that addressed the flaw in the May 2018 Patch Tuesday security updates.
After the release of the security updates, on May 8, experts from Kaspersky Lab and Malwarebytes published a detailed analysis of the vulnerability, while researchers from Morphisec security firm released a proof-of-concept (PoC) code.
The availability of the PoC code for the vulnerability is a gift for vxers, in the specific case, the crooks included the code for the CVE-2018-8174 flaw in the RIG exploit kit.
“This will replace CVE-2016-0189 from july 2016 and might shake the Drive-By landscape for the coming months.”
Researchers from Trend Micro also observed that the RIG Exploit Kit is now leveraging CVE-2018-8174 to deliver Monero cryptocurrency miner.
“Along with updates in code, we also observed Rig integrating a cryptocurrency-mining malware as its final payload.” reads the analysis from Trend Micro.
Cyber criminals were hijacking the traffic of legitimate sites and redirecting IE users to compromised websites hosting the RIG exploit kit. The RIG exploit kit was used to drop the Smoke Loader malware, a tiny dropper used to install on the infected system a cryptocurrency miner.