CVE-2018-8174 Vulnerability Used by Rig Exploit Kit

Security researchers have been following the activity surrounding the infamous Rig exploit kit. In these campaigns, attackers are compromising websites to inject a malicious script that redirects potential victims to the EK’s landing page. This attack scenario slightly changed in March last year where Rig was detected in the so-called Seamless campaign where another layer was added before landing on the exploit kit’s page.

Besides the code updates, security researchers observed Rig implementing a cryptocurrency miner as the final payload of the operation. According to Trend Micro, Rig operators have now added a particular vulnerability to their exploit arsenal – CVE-2018-8174. This flaw is the remote execution type and was reported to be actively exploited in May. The vulnerability affects systems running Windows 7 and later, and it uses Internet Explorer and Microsoft Office documents using the vulnerable script engine.

CVE-2018-8174 Official Description

A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The campaigns of Rig EK are not that surprising at all – having in mind that the EK landscape drastically changed with the thwarting of some of the biggest exploit kits. As a result, Rig became the most prevalent one, using a variety of vulnerabilities, (Read more...)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum authored by Milena Dimitrova. Read the original post at: