An exploit kit such as Rig usually starts off with a threat actor compromising a website to inject a malicious script/code that eventually redirects would-be victims to the exploit kit’s landing page. Sometime around February to March last year, however, we saw Rig’s
Seamless campaign adding another layer or gate before the actual landing page.
Along with updates in code, we also observed Rig integrating a cryptocurrency-mining malware as its final payload. Based on the latest activities we’ve observed from Rig, they’re now also exploiting
CVE-2018-8174, a remote code execution vulnerability
patched in May and reported to be actively exploited. The exploit also appears to be from a recently
disclosed proof of concept. The security flaw affects systems running Windows 7 and later operating systems, and the exploit works through Internet Explorer (IE) and Microsoft Office documents that use the
vulnerable script engine.
