The CVE-2018-8174 is a bug that allows remote code execution in the VBScript Engine. Found exploited in the wild as a 0day via Word documents, announced by Qihoo360 on April 20, 2018, patched by Microsoft on May 8, 2018 and explained in details by Kaspersky the day after.

A Proof of Concept for Internet Explorer 11 on Windows 7 has been shared publicly 3 days ago, it’s now beeing integrated in Browser Exploit Kits.

This will replace CVE-2016-0189 from july 2016 and might shake the Drive-By landscape for the coming months.

RIG:

Spotted on the 2018-05-25

“TakeThat” wrote yesterday (2018-05-24) that he has integrated it and that infection rate has increased:

Добавлен CVE-2018-8174
Add CVE-2018-8174
Пробив/rate +
[redacted]@exploit.im
[redacted]@xmpp.jp

And indeed today:

Figure 1: RIG launching code exploiting CVE-2018-8174 against IE11 on Windows 7 - 2018-05-25

IOC	Type	Comment	Date
206.189.147.254	IP	Redirector	2018-05-23
95.142.40.187	IP	RIG	2018-05-24
95.142.40.185	IP	RIG	2018-05-24
95.142.40.184	IP	RIG	2018-05-24
46.30.42.164	IP	RIG	2018-05-24
vnz[.]bit|104.239.213[.]7	domain|IP	Smoke Bot C2	2018-05-25
vnz2107[.]ru|104.239.213[.]7	domain|IP	Smoke Bot C2	2018-05-25
92e7cfc803ff73ed14c6bf7384834a09	md5	Smoke Bot	2018-05-25
58648ed843655d63570f8809ec2d6b26	md5	Extracted VBS	2018-05-25

Files: PCAP on VT

Acknowledgement:

• Thanks to William Metcalf and Frank Ruiz (FoxIT InTELL) for their help.

Magnitude:

Spotted on the 2018-06-02

After a week without buying traffic, Magnitude is active again, now with CVE-2018-8174:

Figure 2: Magnitude successfully exploiting CVE-2018-8174 against IE11 on Windows 7 to deploy Magniber Ransomware - 2018-06-02

Note: Magniber is back (after 1 month and half of GandCrab) in this infection chain and is now (as GandCrab) also accepting Dash cryptocurrency as payment

IOC	Type	Comment	Date
taxhuge[.]com|149.56.159.203	Domain|IP	Magnigate step 1	2018-06-02
69j366ma35.fedpart[.]website|167.114.33.110	Domain|IP	Magnigate step 2	2018-06-02
a23e5cwd602oe46d.addrole[.]space|167.114.191.124	Domain|IP	Magnitude	2018-06-02
f48a248ddec2b7987778203f2f6a11b1	md5	Extracted VBS	2018-06-02
30bddd0ef9f9f178aa39599f0e49d733	md5	Magniber	2018-06-02
[ID].bitslot[.]website|139.60.161.51	Domain|IP	Magniber Payment Server	2018-06-02
[ID].carefly[.]space|54.37.57.152	Domain|IP	Magniber Payment Server	2018-06-02
[ID].trapgo[.]host|185.244.150.110	Domain|IP	Magniber Payment Server	2018-06-02
[ID].farmand[.]site|64.188.10.44	Domain|IP	Magniber Payment Server	2018-06-02

Files: Fiddler on VT (note: some proxy were used)

GrandSoft:

Spotted by Joseph Chen on 2018-06-14

Figure 3: GrandSoft exploiting CVE-2018-8174 against IE11 on Windows 7 - 2018-06-14

Files: Fiddler on VT - Pcap on VT

IOC	Type	Comment	Date
easternflow[.]ml|200.74.240.219	Domain|IP	BlackTDS	2018-06-14
uafcriminality[.]lesbianssahgbrewingqzw[.]xyz|185.17.122.212	Domain|IP	GrandSoft EK	2018-06-14
cec253acd39fe5d920c7da485e367104	md5	Undefined Loader	2018-06-14
a15d9257a0c1421353edd31798f03cd6	md5	GandCrab	2018-06-14
91.210.104.247	IP	AscentorLoader C2	2018-06-14
carder[.]bit	Domain	GandCrab C2	2018-06-14
ransomware[.]bit	Domain	GandCrab C2	2018-06-14

Acknowledgement:

• Thanks to Joseph Chen who spotted the new exploit and allowed the capture of this traffic.

Edits:

• 2018-06-19 - Added the name for the Loader
  

Fallout:

Spotted on 2018-06-30, most probably there since 2018-06-16

Figure 4: Fallout exploiting CVE-2018-8174 against IE11 on Windows 7 - 2018-08-30

Files: Fiddler on VT - Pcap on VT

Acknowledgement:

• Thanks to Nao_Sec for the initial referer. Thanks to Joseph Chen for additionnal inputs

Kaixin EK:

Spotted by JayK on 2018-07-12

Figure 5: Kaixin exploiting CVE-2018-8174 against IE11 on Windows 7 - 2018-08-11

Files: Fiddler on VT - Pcap on VT

Hunter EK:

Figure 6: Hunter including CVE-2018-8174 in its carpet bombing against IE11 on Windows 7 - 2018-08-30

Files: Fiddler on VT

Acknowledgement:

• Thanks to Frank Ruiz (FoxIT InTELL) for allowing this capture.

Greenflash Sundown:

Spotted by Chaoying Liu on 2018-09-05

Acknowledgement:

• Thanks to Chaoying Liu for the CVE identification.

Read More:
The King is dead. Long live the King! - 2018-05-09 - SecureList
Analysis of CVE-2018-8174 VBScript 0day - 2018-05-09 - Qihoo360

Post publication reading:
Rig Exploit Kit Now Using CVE-2018-8174 to Deliver Monero Miner - 2018-05-31 - Trend Micro
Delving deep into VBScript - Analysis of CVE-2018-8174 exploitation - 2018-07-03 - SecureList
Hello “Fallout Exploit Kit” - 2018-09-01 - Nao_Sec

The CVE-2018-15982 is a bug that allows remote code execution in Flash Player up to 31.0.0.153, spotted in the wild as a 0day. Patched on December 05, 2018 with APSB18-42.

Underminer:

Underminer exploit kit improves in its latest iteration - 2018-12-21 - Malwarebytes

Fallout:

2019-01-16

Figure 4: Fallout exploiting CVE-2018-15982 on Windows 7 - 2019-01-16

Files: Fiddler on VT - Pcap on VT

Associated Advert underground:

Итак! Тяжкие работы по восстановлению всей инфраструктуры связки закончены, были проведены тесты и в данный момент связка работает в полном объеме. Также были произведены множество правок и изменений.

Изменения:

1. Увеличена производительность
2. Полностью переработан механизм обфускации кода и генерации лэндинга.
3. Убран CVE-2018-8373 на переработку. В данный момент сплоит ведет себя не стабильно.
4. Добавлен новый флеш сплоит CVE-2018-15982.
5. Для запуска повершелл в шеллкод добавлен код отключения AMSI
6. Кучка мелких правок

ИЗМЕНЕНА ЦЕНОВАЯ ПОЛИТИКА Неделя 400$ Месяц 1300$

В данный момент при проверке отстука софта со связки было выявлено:

1. Отстук EXE на уровне 80-90%
2. Отстук PowerShell на уровне 95-100%

Translated by google as:

So! The hard work on the restoration of the entire infrastructure of the bundle was completed, tests were carried out and at the moment the bundle is working in full. There have also been many edits and changes.

Changes:

1. Increased performance
2. The code obfuscation and landing generation mechanism has been completely redesigned.
3. Removed CVE-2018-8373 for recycling. At the moment, the flow rate is not stable.
4. Added new flash sploit CVE-2018-15982.
5. To launch Powershell, the disable code AMSI is added to the shellcode
6. A bunch of minor edits

CHANGED PRICE POLICY Week 400 $ Month $ 1300

At the moment, when checking the otstuk software from the bundle, it was revealed:

1. Otstuk EXE level 80-90%
2. Otstuk PowerShell at the level of 95-100%

IOC	Type	Comment	Date
payformyattention[.]site|51.15.35[.]154	domain|IP	Fallout EK	2019-01-16
whereismyteam[.]press|51.15.111[.]159	domain|IP	Fallout EK	2019-01-16
bd31d8f5f7d0f68222517afc54f85da9d305e63a2ff639c6c535e082de13dede	SHA-256	GandCrab Ransomware	2019-01-16

Spelevo:

2019-03-06 Appears to be a new Exploit Kit which has some similarities with “SPL EK”. (CVE-2018-8174 has been spotted there as well)

Figure 4: Spelevo exploiting CVE-2018-15982 on Windows 7 - 2019-03-07

Acknowledgement:

Thanks to Chaoying Liu for CVE confirmation.

Files: Fiddler on VT - Pcap on VT (note: Some proxy were used)

IOC	Type	Comment	Date
letsdoitquick[.]site|194.113.107.71	domain|IP	Redirector (Keitaro TDS)	2019-03-07
index.microsoft-ticket[.]xyz|85.17.197[.]101	domain|IP	Spelevo EK	2019-03-06
blasian.bestseedtodo[.]xyz|85.17.197[.]101	domain|IP	Spelevo EK	2019-03-06
flashticket[.]xyz|85.17.197[.]101	domain|IP	Spelevo EK	2019-03-06
read.updateversionswf[.]xyz|85.17.197[.]101	domain|IP	Spelevo EK	2019-03-07
9aa8e341cc895350addaf268b21f7a716f6d7993575fdba67a3fe7a9e23b8f90	SHA-256	Gootkit “1999”	2019-03-07
2feba3cc47b7f1d47a9e1277c4f4ad5aa5126e59798ac096459d1eae8f573c35	SHA-256	Gootkit “3012” (2nd Stage)	2019-03-07
ws.blueberryconstruction[.]it|185.158.250[.]163	domain|IP	Gootkit C2	2019-03-07
ws.diminishedvaluevirginia[.]com|185.158.251[.]115	domain|IP	Gootkit C2	2019-03-07
gttopr[.]space|198.251.83[.]27	domain|IP	Gootkit C2	2019-03-07

GreenFlash Sundown:

19.03.26 #Malvertising -> #GreenFlashSundown EK-> #SeonRansomware ver 0.2 & #pony & #miner using CVE-2018-15982 - 2019-04-05 - @vigilantbeluga

Shadowgate Returns to Worldwide Operations With Evolved Greenflash Sundown Exploit Kit - 2019-06-27 - Trendmicro

Read More:

Adobe Flash Zero-Day Exploited In the Wild - 2018-12-05 - Gigamon

Underminer exploit kit improves in its latest iteration - 2018-12-21 - Malwarebytes

This is the last post/activity you’ll see on MDNC.

I have now chosen to bring the MDNC (Blog/Kafeine/MISP) project to an end.
Thanks to those who helped me during this incredible 8 years journey.

The blog and twitter account will stay up (but inactive) for the records.
The MDNC MISP instance will be shut down in several weeks.

‘Choose again.’ said Aenea. ‘Dan Simmons, The Rise of Endymion‘

That’s all Folks!