21 June 2018
Rig Exploit Kit Expands Infection Chain
The notorious RIG, a favoured Exploit Kit (EK) for malicious actors since 2014, has been expanded to include a new layer in the infection chain as well as cryptocurrency-mining malware as its final payload.
Usually, a RIG exploit kit begins with a threat actor compromising a website to inject a malicious code that redirects the victims to the landing page.
Now, the layer before reaching the landing page is a remote code execution vulnerability (CVE-2018-8174). The flaw affects systems running Windows 7 and later operating systems via Internet Explorer and Microsoft Office documents that use the vulnerable VBScript engines.
Infection Chain – Arrival
RIG uses malicious advertisements (malvertising) that have hidden iframes which redirect victims to RIG’s landing page, which includes an exploit for CVE-2018-8174 and shellcode.
Infection Chain – Entry
Once on the landing page, RIG exploits CVE-2018-8174 to execute obfuscated shellcode.
Encrypted Shellcode and Obfuscated Exploit for the CVE-2018-8174
What Are the Consequences?
The vulnerability could corrupt memory allowing the attacker to execute arbitrary code in the context of the current user. If successfully exploited, the malicious actor could gain the same user rights as the current user, and if this user has administrative rights, the attacker has the ‘keys to the castle’ and their entire infrastructure is at risk. With these administrative user rights, the attacker can take control of the affected system, and install programs, change or delete data, or create new accounts with full user rights.