An Internet Explorer zero-day vulnerability that came to light last month has now been incorporated in the RIG exploit kit, a web-based toolkit that malware authors use to infect a site's visitors with malware.
The vulnerability in question is CVE-2018-8174. This vulnerability affects VBScript, the Visual Basic scripting engine that's included with Internet Explorer and Microsoft Office.
On April 20,
Bleeping Computer learned from a Chinese security researcher that a cyber-espionage group was using this vulnerability to infect users via Internet Explorer, as part of a series of attacks conducted by what later
proved to be a North Korean state-sponsored hacking group.
Security researchers from Qihoo 360, who first spotted these attacks, reported the vulnerability to Microsoft, and the company patched the bug in the
May 2018 Patch Tuesday security updates, released on May 8.
Write-ups and PoC lead to RIG EK incorporation
Subsequent write-ups from Qihoo 360 [
1,
2,
3],
Kaspersky Lab, and
Malwarebytes revealed more details about the zero-day's new exploitation chain, which Qihoo researchers dubbed "double kill."
These write-ups were also at the base of a proof-of-concept (PoC) code released
on GitHub by
Morphisec security researcher Michael Gorelik. A
Metasploit module was released shortly after.
But as it happened many times in the past, the publication of these technical write-ups and PoC code have also helped malware authors, not just security researchers.