CVE-2018-8174 (VBScript Engine) and Exploit Kits

The CVE-2018-8174 is a bug that allows remote code execution in the VBScript Engine. Found exploited in the wild as a 0day via Word documents, announced by Qihoo360 on April 20, 2018, patched by Microsoft on May 8, 2018 and explained in details by Kaspersky the day after.

A Proof of Concept for Internet Explorer 11 on Windows 7 has been shared publicly 3 days ago, it’s now beeing integrated in Browser Exploit Kits.

This will replace CVE-2016-0189 from july 2016 and might shake the Drive-By landscape for the coming months.

RIG:

Spotted on the 2018-05-25

“TakeThat” wrote yesterday (2018-05-24) that he has integrated it and that infection rate has increased:

Добавлен CVE-2018-8174
Add CVE-2018-8174
Пробив/rate +
[redacted]@exploit.im
[redacted]@xmpp.jp

And indeed today:

Files: PCAP on VT

Acknowledgement:

• Thanks to William Metcalf and Frank Ruiz (FoxIT InTELL) for their help.

Magnitude:

Spotted on the 2018-06-02

After a week without buying traffic, Magnitude is active again, now with CVE-2018-8174:

Note: Magniber is back (after 1 month and half of GandCrab) in this infection chain and is now (as GandCrab) also accepting Dash cryptocurrency as payment

Files: Fiddler on VT (note: some proxy were used)

GrandSoft:

Spotted by Joseph Chen on 2018-06-14

Files: Fiddler on VT – Pcap on VT

Acknowledgement:

• Thanks to Joseph Chen who spotted the new exploit and allowed the capture of this traffic.

Edits:

• 2018-06-19 – Added the name for the Loader

Fallout:

Spotted on 2018-06-30, most probably there since 2018-06-16

Files: Fiddler on VT – Pcap on VT

Acknowledgement:

• Thanks to Nao_Sec for the initial referer. Thanks to Joseph Chen for additionnal inputs

Kaixin EK:

Spotted by JayK on 2018-07-12

Files: Fiddler on VT – Pcap on VT

Hunter EK:

Files: Fiddler on VT

Acknowledgement:

• Thanks to Frank Ruiz (FoxIT InTELL) for allowing this capture.

Greenflash Sundown:

Spotted by Chaoying Liu on 2018-09-05

Acknowledgement:

• Thanks to Chaoying Liu for the CVE identification.

Read More:
The King is dead. Long live the King! – 2018-05-09 – SecureList
Analysis of CVE-2018-8174 VBScript 0day – 2018-05-09 – Qihoo360

Post publication reading:
Rig Exploit Kit Now Using CVE-2018-8174 to Deliver Monero Miner – 2018-05-31 – Trend Micro
Delving deep into VBScript – Analysis of CVE-2018-8174 exploitation – 2018-07-03 – SecureList
Hello “Fallout Exploit Kit” – 2018-09-01 – Nao_Sec

Print Share Comment Cite Upload Translate

APA

() » CVE-2018-8174 (VBScript Engine) and Exploit Kits. Retrieved from https://www.truth.cx/2018/05/25/cve-2018-8174-vbscript-engine-and-exploit-kits/.

MLA

" » CVE-2018-8174 (VBScript Engine) and Exploit Kits." - , https://www.truth.cx/2018/05/25/cve-2018-8174-vbscript-engine-and-exploit-kits/

HARVARD

» CVE-2018-8174 (VBScript Engine) and Exploit Kits., viewed ,

VANCOUVER

- » CVE-2018-8174 (VBScript Engine) and Exploit Kits. [Internet]. [Accessed ]. Available from: https://www.truth.cx/2018/05/25/cve-2018-8174-vbscript-engine-and-exploit-kits/

CHICAGO

" » CVE-2018-8174 (VBScript Engine) and Exploit Kits." - Accessed . https://www.truth.cx/2018/05/25/cve-2018-8174-vbscript-engine-and-exploit-kits/

IEEE

" » CVE-2018-8174 (VBScript Engine) and Exploit Kits." [Online]. Available: https://www.truth.cx/2018/05/25/cve-2018-8174-vbscript-engine-and-exploit-kits/. [Accessed: ]

Select a language: Afrikaans Albanian Arabic Armenian Basque Bengali Bulgarian Catalan Cambodian Chinese (Mandarin) Croatian Czech Danish Dutch English Estonian Fiji Finnish French Georgian German Greek Gujarati Hebrew Hindi Hungarian Icelandic Indonesian Irish Italian Japanese Javanese Korean Latin Latvian Lithuanian Macedonian Malay Malayalam Maltese Maori Marathi Mongolian Nepali Norwegian Persian Polish Portuguese Punjabi Quechua Romanian Russian Samoan Serbian Slovak Slovenian Spanish Swahili Swedish Tamil Tatar Telugu Thai Tibetan Tonga Turkish Ukrainian Urdu Uzbek Vietnamese Welsh Xhosa <p>The <a href="http://cve.circl.lu/cve/CVE-2018-8174" title="Circl.lu CVE-2018-8174">CVE-2018-8174</a> is a bug that allows remote code execution in the VBScript Engine. Found exploited in the wild as a 0day via Word documents, <a href="https://weibo.com/ttarticle/p/show?id=2309404230886689265523" title="新型Office攻击使用浏览器“双杀”漏洞">announced by Qihoo360 on April 20, 2018</a>, <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8174" title="CVE-2018-8174 | Windows VBScript Engine Remote Code Execution Vulnerability">patched by Microsoft</a> on May 8, 2018 and explained in details by <a href="https://securelist.com/root-cause-analysis-of-cve-2018-8174/85486/" title="The King is dead. Long live the King! Root cause analysis of the latest Internet Explorer zero day – CVE-2018-8174">Kaspersky</a> the day after.</p> <p>A Proof of Concept for Internet Explorer 11 on Windows 7 has been <a href="https://github.com/smgorelik/Windows-RCE-exploits/tree/master/Web/VBScript">shared publicly 3 days ago</a>, it’s now beeing integrated in Browser Exploit Kits.</p> <p>This will replace <a href="https://malware.dontneedcoffee.com/2016/07/cve-2016-0189-internet-explorer-and.html">CVE-2016-0189</a> from july 2016 and might shake the Drive-By landscape for the coming months.</p> <h2 id="rig"><a href="https://malware.dontneedcoffee.com/2018/05/CVE-2018-8174.html#rig">RIG</a>:</h2> <p><em>Spotted on the 2018-05-25</em></p> <p>“TakeThat” wrote yesterday (2018-05-24) that he has integrated it and that infection rate has increased:</p> <p>Добавлен CVE-2018-8174<br /> Add CVE-2018-8174<br /> Пробив/rate + <img src="https://malware.dontneedcoffee.com/images/blog/CVE-2018-8174/boom.gif" alt="boom.gif" /><br /> [redacted]@exploit.im<br /> [redacted]@xmpp.jp<br /></p> <p>And indeed today:</p> <p><img src="https://malware.dontneedcoffee.com/images/blog/CVE-2018-8174/rig_cve-2018-8174.png" alt="RIG_CVE-2018-8174" class="center" /></p> <center><em>Figure 1: RIG launching code exploiting CVE-2018-8174 against IE11 on Windows 7 - 2018-05-25 </em></center> <p><br /></p> <table> <thead> <tr> <th>IOC</th> <th>Type</th> <th>Comment</th> <th>Date</th> </tr> </thead> <tbody> <tr> <td>206.189.147.254</td> <td>IP</td> <td>Redirector</td> <td>2018-05-23</td> </tr> <tr> <td>95.142.40.187</td> <td>IP</td> <td>RIG</td> <td>2018-05-24</td> </tr> <tr> <td>95.142.40.185</td> <td>IP</td> <td>RIG</td> <td>2018-05-24</td> </tr> <tr> <td>95.142.40.184</td> <td>IP</td> <td>RIG</td> <td>2018-05-24</td> </tr> <tr> <td>46.30.42.164</td> <td>IP</td> <td>RIG</td> <td>2018-05-24</td> </tr> <tr> <td>vnz[.]bit|104.239.213[.]7</td> <td>domain|IP</td> <td>Smoke Bot C2</td> <td>2018-05-25</td> </tr> <tr> <td>vnz2107[.]ru|104.239.213[.]7</td> <td>domain|IP</td> <td>Smoke Bot C2</td> <td>2018-05-25</td> </tr> <tr> <td><a href="https://www.virustotal.com/en/file/eeaa1ff2e9d33573590a8acb63cc8e6f390c0b056ff709e2945bf375d5ac5003/analysis/">92e7cfc803ff73ed14c6bf7384834a09</a></td> <td>md5</td> <td>Smoke Bot</td> <td>2018-05-25</td> </tr> <tr> <td><a href="https://www.virustotal.com/en/file/21062145f36a21cd7d8de7066f18be71f3f5bb16b1347c6d1f1065f627744fe4/analysis/">58648ed843655d63570f8809ec2d6b26</a></td> <td>md5</td> <td>Extracted VBS</td> <td>2018-05-25</td> </tr> </tbody> </table> <p>Files: <a href="https://www.virustotal.com/#/file/57281640e8ed514803a1c47c4ecb4e14462795b02308511d154b56d33e57ec00/detection">PCAP on VT</a></p> <p><strong>Acknowledgement:</strong><br /></p> <ul> <li>Thanks to <a href="https://twitter.com/node5">William Metcalf</a> and Frank Ruiz (FoxIT InTELL) for their help.</li> </ul> <h2 id="magnitude"><a href="https://malware.dontneedcoffee.com/2018/05/CVE-2018-8174.html#magnitude">Magnitude</a>:</h2> <p><em>Spotted on the 2018-06-02</em></p> <p>After a week without buying traffic, Magnitude is active again, now with CVE-2018-8174: <img src="https://malware.dontneedcoffee.com/images/blog/CVE-2018-8174/magnitude_cve-2018-8174.png" alt="Magnitude_CVE-2018-8174" class="center" /></p> <center><em>Figure 2: Magnitude successfully exploiting CVE-2018-8174 against IE11 on Windows 7 to deploy Magniber Ransomware - 2018-06-02 </em></center> <p>Note: Magniber is back (after 1 month and half of GandCrab) in this infection chain and is now (as GandCrab) also accepting Dash cryptocurrency as payment</p> <table> <thead> <tr> <th>IOC</th> <th>Type</th> <th>Comment</th> <th>Date</th> </tr> </thead> <tbody> <tr> <td>taxhuge[.]com|149.56.159.203</td> <td>Domain|IP</td> <td>Magnigate step 1</td> <td>2018-06-02</td> </tr> <tr> <td>69j366ma35.fedpart[.]website|167.114.33.110</td> <td>Domain|IP</td> <td>Magnigate step 2</td> <td>2018-06-02</td> </tr> <tr> <td>a23e5cwd602oe46d.addrole[.]space|167.114.191.124</td> <td>Domain|IP</td> <td>Magnitude</td> <td>2018-06-02</td> </tr> <tr> <td><a href="https://www.virustotal.com/en/file/5990f09396ff018600f022e621921909bea8ea823398bd10dbade4f27b59e12f/analysis/">f48a248ddec2b7987778203f2f6a11b1</a></td> <td>md5</td> <td>Extracted VBS</td> <td>2018-06-02</td> </tr> <tr> <td><a href="https://www.virustotal.com/en/file/24d17158531180849f5b0819ac965d796886b8238d8a690e2a7ecb3d7fd3bf2b/analysis/">30bddd0ef9f9f178aa39599f0e49d733</a></td> <td>md5</td> <td>Magniber</td> <td>2018-06-02</td> </tr> <tr> <td>[ID].bitslot[.]website|139.60.161.51</td> <td>Domain|IP</td> <td>Magniber Payment Server</td> <td>2018-06-02</td> </tr> <tr> <td>[ID].carefly[.]space|54.37.57.152</td> <td>Domain|IP</td> <td>Magniber Payment Server</td> <td>2018-06-02</td> </tr> <tr> <td>[ID].trapgo[.]host|185.244.150.110</td> <td>Domain|IP</td> <td>Magniber Payment Server</td> <td>2018-06-02</td> </tr> <tr> <td>[ID].farmand[.]site|64.188.10.44</td> <td>Domain|IP</td> <td>Magniber Payment Server</td> <td>2018-06-02</td> </tr> </tbody> </table> <p>Files: <a href="https://www.virustotal.com/#/file/1e5d0903198baac5eb213d290dd2c53124685de250ad18b709a6e83b826cdc69/detection">Fiddler on VT</a> <em>(note: some proxy were used)</em></p> <h2 id="grandsoft"><a href="https://malware.dontneedcoffee.com/2018/05/CVE-2018-8174.html#grandsoft">GrandSoft</a>:</h2> <p><em>Spotted by <a href="https://twitter.com/jspchc">Joseph Chen</a> on 2018-06-14</em></p> <p><img src="https://malware.dontneedcoffee.com/images/blog/CVE-2018-8174/grandsoft_cve-2018-8174.png" alt="GrandSoft_CVE-2018-8174" class="center" /></p> <center><em>Figure 3: GrandSoft exploiting CVE-2018-8174 against IE11 on Windows 7 - 2018-06-14 </em></center> <p><br /></p> <p>Files: <a href="https://www.virustotal.com/#/file/b9847896178e810f9b51b07a89a78b88d5b651a629ca8c1290df57eada788937/detection">Fiddler on VT</a> - <a href="https://www.virustotal.com/#/file/9bec88033de8f4d913a6674168faf124ec5bb47216d15a42a7293e47c54ff7ff/detection">Pcap on VT</a></p> <table> <thead> <tr> <th>IOC</th> <th>Type</th> <th>Comment</th> <th>Date</th> </tr> </thead> <tbody> <tr> <td>easternflow[.]ml|200.74.240.219</td> <td>Domain|IP</td> <td>BlackTDS</td> <td>2018-06-14</td> </tr> <tr> <td>uafcriminality[.]lesbianssahgbrewingqzw[.]xyz|185.17.122.212</td> <td>Domain|IP</td> <td>GrandSoft EK</td> <td>2018-06-14</td> </tr> <tr> <td><a href="https://www.virustotal.com/en/file/69ec63646a589127c573fed9498a11d3e75009751ac5e16a80e7aa684ad66240/analysis/">cec253acd39fe5d920c7da485e367104</a></td> <td>md5</td> <td>Undefined Loader</td> <td>2018-06-14</td> </tr> <tr> <td><a href="https://www.virustotal.com/en/file/f75c442895e7b8c005d420759dfcd4414ac037cf6bdd5771e23cedd73693a075/analysis/">a15d9257a0c1421353edd31798f03cd6</a></td> <td>md5</td> <td>GandCrab</td> <td>2018-06-14</td> </tr> <tr> <td>91.210.104.247</td> <td>IP</td> <td>AscentorLoader C2</td> <td>2018-06-14</td> </tr> <tr> <td>carder[.]bit</td> <td>Domain</td> <td>GandCrab C2</td> <td>2018-06-14</td> </tr> <tr> <td>ransomware[.]bit</td> <td>Domain</td> <td>GandCrab C2</td> <td>2018-06-14</td> </tr> </tbody> </table> <p><strong>Acknowledgement:</strong><br /></p> <ul> <li>Thanks to <a href="https://twitter.com/jspchc">Joseph Chen</a> who spotted the new exploit and allowed the capture of this traffic.</li> </ul> <p><strong>Edits:</strong><br /></p> <ul> <li>2018-06-19 - Added the name for the Loader <br /></li> </ul> <h2 id="fallout"><a href="https://malware.dontneedcoffee.com/2018/05/CVE-2018-8174.html#fallout">Fallout</a>:</h2> <p><em>Spotted on 2018-06-30, most probably there since 2018-06-16</em></p> <p><img src="https://malware.dontneedcoffee.com/images/blog/CVE-2018-8174/fallout_cve-2018-8174.png" alt="Fallout_CVE-2018-8174" class="center" /></p> <center><em>Figure 4: Fallout exploiting CVE-2018-8174 against IE11 on Windows 7 - 2018-08-30 </em></center> <p>Files: <a href="https://www.virustotal.com/en/file/5202d382cb8e629a037e33117883dc4f44996b9f17ac774e18e7b0152e526eea/analysis/">Fiddler on VT</a> - <a href="https://www.virustotal.com/en/file/54fa6d37f97e65cc62d96a5f0c2e3de9f32f2c0b2b2bbb7bc51f4d2f1e07b206/analysis/">Pcap on VT</a></p> <p><strong>Acknowledgement:</strong><br /></p> <ul> <li>Thanks to <a href="https://twitter.com/nao_sec">Nao_Sec</a> for the initial referer. Thanks to <a href="https://twitter.com/jspchc">Joseph Chen</a> for additionnal inputs</li> </ul> <h2 id="kaixin-ek"><a href="https://malware.dontneedcoffee.com/2018/05/CVE-2018-8174.html#kaixin">Kaixin EK</a>:</h2> <p><em>Spotted by <a href="https://twitter.com/wugeej/status/1017208092482625536">JayK</a> on 2018-07-12</em></p> <p><img src="https://malware.dontneedcoffee.com/images/blog/CVE-2018-8174/kaixin_cve-2018-8174.png" alt="Kaixin_CVE-2018-8174" class="center" /></p> <center><em>Figure 5: Kaixin exploiting CVE-2018-8174 against IE11 on Windows 7 - 2018-08-11 </em></center> <p>Files: <a href="https://www.virustotal.com/en/file/fc46d7d51778396261eae02f11eaddce18c97aab9ef8227547094023ee58d3cf/analysis/">Fiddler on VT</a> - <a href="https://www.virustotal.com/en/file/d442c4c9e0911de27f28c0d06565c1790460b832e7439233ebd0b5526eb9f801/analysis/">Pcap on VT</a></p> <h2 id="hunter-ek"><a href="https://malware.dontneedcoffee.com/2018/05/CVE-2018-8174.html#hunter">Hunter EK</a>:</h2> <p><img src="https://malware.dontneedcoffee.com/images/blog/CVE-2018-8174/hunter_cve-2018-8174.png" alt="Hunter_CVE-2018-8174" class="center" /></p> <center><em>Figure 6: Hunter including CVE-2018-8174 in its carpet bombing against IE11 on Windows 7 - 2018-08-30 </em></center> <p>Files: <a href="https://www.virustotal.com/en/file/cc9e0347ae679b9d15d2138bff532cd27edae2b4e171d6b0a46c09adc5aaed19/analysis/">Fiddler on VT</a></p> <p><strong>Acknowledgement:</strong><br /></p> <ul> <li>Thanks to Frank Ruiz (FoxIT InTELL) for allowing this capture.</li> </ul> <h2 id="greenflash-sundown"><a href="https://malware.dontneedcoffee.com/2018/05/CVE-2018-8174.html#sundown-gf">Greenflash Sundown</a>:</h2> <p><em>Spotted by <a href="https://twitter.com/ring_lcy">Chaoying Liu</a> on 2018-09-05</em></p> <p><strong>Acknowledgement:</strong><br /></p> <ul> <li>Thanks to <a href="https://twitter.com/ring_lcy">Chaoying Liu</a> for the CVE identification.</li> </ul> <p><strong>Read More:</strong><br /> <a href="https://securelist.com/root-cause-analysis-of-cve-2018-8174/85486/">The King is dead. Long live the King!</a> - 2018-05-09 - SecureList<br /> <a href="http://blogs.360.cn/blog/cve-2018-8174-en/">Analysis of CVE-2018-8174 VBScript 0day</a> - 2018-05-09 - Qihoo360<br /></p> <p><strong>Post publication reading:</strong><br /> <a href="https://blog.trendmicro.com/trendlabs-security-intelligence/rig-exploit-kit-now-using-cve-2018-8174-to-deliver-monero-miner/">Rig Exploit Kit Now Using CVE-2018-8174 to Deliver Monero Miner</a> - 2018-05-31 - Trend Micro<br /> <a href="https://securelist.com/delving-deep-into-vbscript-analysis-of-cve-2018-8174-exploitation/86333/">Delving deep into VBScript - Analysis of CVE-2018-8174 exploitation</a> - 2018-07-03 - SecureList<br /> <a href="https://www.nao-sec.org/2018/09/hello-fallout-exploit-kit.html">Hello “Fallout Exploit Kit”</a> - 2018-09-01 - <a href="https://twitter.com/nao_sec">Nao_Sec</a><br /></p> First name:

Last name: