21 June 2018

Rig Exploit Kit Expands Infection Chain

The notorious RIG, a favoured Exploit Kit (EK) for malicious actors since 2014, has been expanded to include a new layer in the infection chain as well as cryptocurrency-mining malware as its final payload.

Usually, a RIG exploit kit begins with a threat actor compromising a website to inject a malicious code that redirects the victims to the landing page.

Now, the layer before reaching the landing page is a remote code execution vulnerability (CVE-2018-8174). The flaw affects systems running Windows 7 and later operating systems via Internet Explorer and Microsoft Office documents that use the vulnerable VBScript engines.

Infection Chain

Infection Chain – Arrival

RIG uses malicious advertisements (malvertising) that have hidden iframes which redirect victims to RIG’s landing page, which includes an exploit for CVE-2018-8174 and shellcode.

RIG’s iframe

Infection Chain – Entry

Once on the landing page, RIG exploits CVE-2018-8174 to execute obfuscated shellcode.

Encrypted Shellcode and Obfuscated Exploit for the CVE-2018-8174

Infection Chain – Execution

After successful exploitation, a second-stage downloader is retrieved which is found to be a variant of “SmokeLoader.” This will then download a Monero cryptocurrency miner as the final payload.

The Monero Miner’s Configuration

What Are the Consequences?

The vulnerability could corrupt memory allowing the attacker to execute arbitrary code in the context of the current user. If successfully exploited, the malicious actor could gain the same user rights as the current user, and if this user has administrative rights, the attacker has the ‘keys to the castle’ and their entire infrastructure is at risk. With these administrative user rights, the attacker can take control of the affected system, and install programs, change or delete data, or create new accounts with full user rights.