Exploits & Vulnerabilities
Rig Abuses CVE-2018-8174 to Deliver Monero Miner
Sometime around February to March last year, we saw the Rig exploit kit’s Seamless campaign adding another gate before the actual landing page.
An exploit kit such as Rig usually starts off with a threat actor compromising a website to inject a malicious script/code that eventually redirects would-be victims to the exploit kit’s landing page. Sometime around February to March last year, however, we saw Rig’s Seamless campaign adding another layer or gate before the actual landing page.
Along with updates in code, we also observed Rig integrating a cryptocurrency-mining malware as its final payload. Based on the latest activities we’ve observed from Rig, they’re now also exploiting CVE-2018-8174, a remote code execution vulnerability patched in May and reported to be actively exploited. The exploit also appears to be from a recently disclosed proof of concept. The security flaw affects systems running Windows 7 and later operating systems, and the exploit works through Internet Explorer (IE) and Microsoft Office documents that use the vulnerable script engine.
Rig eventually became the most active exploit kit after its predecessors stopped operations or switched to other business models. Rig exploits a variety of vulnerabilities. Among them is CVE-2015-8651, an old code execution vulnerability in Adobe Flash that other exploits kits such as Astrum and other cybercriminals also employ.
Rig’s Recent Activities
Rig shows that the decline in exploit kit activity does not mean they’re dead. In fact, other cybercriminals take this as an opportunity to fine-tune their tools and techniques. Last April, for instance, we saw Rig employing an exploit for CVE-2018-4878 (patched last February), a use-after-free vulnerability in Adobe Flash, to replace their exploit for CVE-2015-8651. With this modus, we assume that its exploit for CVE-2018-8174 is a replacement for the previous exploit for CVE-2016-0189.
More recently, Rig was noted to deliver payloads such as the GandCrab ransomware and Panda Banker (a variant of the ZeuS banking trojan). It's not a surprising move, given the popularity (and potential profit) of cryptocurrency mining. Malicious cryptocurrency miners may be less destructive, but their impact is long-term. They can remain undetected until telltale signs of infection become more evident, giving cybercriminals time to generate more illicit income.
Figure 1: The campaign’s infection chain
Infection Chain
As with its previous campaigns, Rig’s Seamless campaign uses malvertising. In this case, the malvertisements have a hidden iframe that redirects victims to Rig’s landing page, which includes an exploit for CVE-2018-8174 and shellcode. This enables remote code execution of the shellcode obfuscated in the landing page. After successful exploitation, a second-stage downloader is retrieved, which appears to be a variant of SmokeLoader due to the URL. It would then download the final payload, a Monero miner.
Figure 2: Rig’s Seamless-related iframe
Figure 3: Encrypted shellcode (top) and obfuscated exploit for the CVE-2018-8174 (bottom)
Figure 4: The Monero miner's configuration
Figure 5: The cryptocurrency-mining malware’s process tree (wuapp.exe)
Mitigation
Exploit kits can expose victims to multifarious threats — from information theft and file encryption to malicious cryptocurrency mining. Regularly applying the latest patches is an effective defense. Some of the best practices for organizations include:
- Considering virtual patching for safeguarding legacy systems and networks.
- Enabling and deploying firewalls as well as intrusion detection and prevention systems to help better monitor and scan traffic traversing the corporate network.
- Employing application control to mitigate unauthorized access and privilege by preventing suspicious applications or processes from executing, such as those spawned by malicious cryptocurrency-mining executables.
- Restricting or disabling the use of unnecessary or outdated plug-ins, extensions or applications that may be used as entry points.
Trend Micro Solutions
A proactive, multilayered approach to security is key against threats that exploit vulnerabilities — from the gateway, endpoints, networks, and servers. Trend Micro™ OfficeScan™ with XGen™ endpoint security has Vulnerability Protection that shields endpoints from identified and unknown vulnerability exploits even before patches are even deployed. Trend Micro’s endpoint solutions such as Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security protect end users and businesses from these threats by detecting and blocking malicious files and all related malicious URLs. Trend Micro™ Deep Security and Vulnerability Protection protect user systems from threats that may exploit CVE-2018-8174 via the following DPI rule:
- 1009067 – Microsoft Windows VBScript Engine Remote Code Execution Vulnerability (CVE-2018-8174)
Trend Micro™ TippingPoint™ customers are protected from threats that may exploit CVE-2018-8174 via this MainlineDV filter:
- 31493: HTTP: Microsoft Windows VBScript Engine Class_Terminate Use-after-Free Vulnerability
Indicators of Compromise (IoCs)
Related Hashes (SHA-256):
- 23A05DB7E30B049C5E60BF7B875C7EFC7DCD95D9B775F34B11662CBD2A4DD7B4 — Internet Explorer exploit (VBScript) for CVE-2018-8174 detected as VBS_CVE20188174.B
- BC1FD88BBA6A497DF68A2155658B5CA7306CD94BBEA692287EB8B59BD24156B4— Flash (SWF) exploit for CVE-2018-8174 detected as SWF_CVE20184878.O
- 66E4E472DA1B128B6390C6CBF04CC70C0E873B60F52EABB1B4EA74EBD119DF18 — TROJ_SHARIK.YUYMR (SmokeLoader)
- 716a65e4b63e442756f63e3ac0bb971ee007f0bf9cf251b9f0bfd84e92177600 — COINMINER_MALXMR.THDBFAK-WIN32 (Monero Miner)
Related IP Addresses and Malicious Domains:
- 206[.]189[.]89[.]65
- 46[.]30[.]42[.]18
- vnz[.]bit
- khuongduy[.]ru/z[.]txt