Cybercriminals Integrate Exploit for CVE-2018-8174 into Numerous Attack Tools
The CVE-2018-8174 vulnerability in Internet Explorer was found using OSINT tools and used by a nation-state group from North Korea. By constantly monitoring news outlets with WEBINT platforms, we discovered that the vulnerability was later adopted by cyber criminals globally, and was embedded inside exploit kits that were traded throughout dark-web platforms. The following is an in-depth exploration of our findings surrounding the vulnerability.
The CVE-2018-8174 vulnerability, also dubbed “Double Kill,” was discovered in the beginning of May 2018, when it was exploited as a 0-day in an APT attack leveraging malicious Office files in China. The vulnerability affects users with Internet Explorer installed, either after they browse the web or after they open crafted Office documents – even if the default browser on the victim’s machine is not set to IE. Moreover, it also affects IE11, even though VBScript is no longer supported by using the compatibility tag for IE10. Microsoft patched the vulnerability on May 8, 2018.
We use WEBINT tools frequently to monitor underground hacking communities, in this case, our monitoring revealed that since its discovery, various threat actors in the Russian underground hacking scene have shown a keen interest in this particular vulnerability, indicating their strong intent to exploit it in attacks. Since then, we have observed exploits for this vulnerability incorporated into several prominent attack tools used by Russian threat actors, including the RIG Exploit Kit and the Threadkit package of Office exploits indicating that cybercriminals see it as a profitable attack vector. Concurrently, security reports state that the exploitation of this vulnerability has been witnessed in additional attack campaigns.
The CVE-2018-8174 Exploit
The vulnerability exists in the VBScript – incorporated both in the Internet Explorer browser and in Microsoft Office software. Being a use-after-free (UAF) memory vulnerability, it is particularly dangerous because of the enabling of the execution of arbitrary code, or, in some cases, full remote code execution, due to access to read and write primitives.
The APT attack spotted in China, later attributed to North Korean threat actors, used the URL Moniker technique to load the VisualBasic exploit leveraging CVE-2017-8174 into the Office process. Unlike previously-known Office exploits that used the same technique, the URL link in the current exploit calls the mshtml.dll, which is a library that contains the Visual Basic engine in Internet Explorer. Thus, albeit delivered via a Word document as the initial attack vector, the exploit takes advantage of a vulnerability in VBScript, and not in Microsoft Word.
This attack vector allows the attackers to incorporate Internet Explorer Browser exploits directly into Office documents, enabling them to use it via spear-phishing and drive-by campaigns. Immediately upon its discovery, it was estimated that the vulnerability would be exploited in multiple attack campaigns in the near future.
The in-the wild exploit consisted of three stages:
- Delivery of a malicious Word document
- Once opened, an HTML page containing a VBScript code is downloaded to the victim’s machine
- A UAF vulnerability is triggered, and shellcode is executed
Figure 1: Microsoft Office alert pops-up when opening the crafted document
Underground Chatter Regarding the ExploitIn less than two weeks, the exploit for CVE-2018-8174 was incorporated into the Metasploit framework Click To Tweet
. At the same time, we have spotted vigorous chatter regarding this vulnerability emerging on underground sources, in particular in Russian-speaking forums. Threat actors sought to purchase the exploit, and others shared PoC samples for the explicit purpose of their analysis and further modification.
Figure 2: CVE-2018-8174 exploit is mentioned on underground chatter. Source: Verint DarkAlert
Moreover, and in accordance with predictions made by security researchers, exploitation of this vulnerability was included in some of the most popular attack tools on the Russian underground. Of note, operators of malware targeting both Microsoft Office and IE browser announced the addition of the exploit to their attack tools, indicating that the malicious payload is to be delivered by one of these two vulnerable software types. As explained above,the attack vector can be a malicious Microsoft Office file that will trigger the launch of IE browser, even if not configured as the default browser, or a crafted URL link directly provided to the target. Click To Tweet
We detected an exploit for CVE-2018-8174 added to the following attack tools traded on the Russian underground:
- The RIG exploit kit – in the wild attacks using this exploit to deliver the Monero Miner were already spotted.
Figure 3: The RIG campaign’s infection chain. Source: Trend Micro
- The Threadkit Office exploits package – the modified version that includes the CVE-2018-8174 exploit is yet to be discovered in the wild. However, the malware’s author already announced its incorporation several days ago. The update for the kit will cost US$ 400.
- Another Office exploits package – the new version includes exploits for the following vulnerabilities: CVE-2018-8174, CVE-2018-0802, CVE-2017-11882 and CVE-2017-8570.
Figure 4: Exploit for CVE-2018-8174 is added to another office exploitation package. Source: Verint Dark Alert