Jérôme SeguraMALWAREBYTES:C7D9126F912DAC06B9FBA1B29BF174BCBuggy implementation of CVE-2018-8373 vulnerability used to deliver Quasar RAT
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
7.6 High
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%
A variant of a remote code execution vulnerability with Internet Explorer’s scripting engine known as CVE-2018-8373 patched last August has been found in the wild. Looking at the IOCs posted by our colleagues at TrendMicro, we recognized the infrastructure serving this exploit. The same static domain has been active since at least early July, and is being redirected to from an adult website injected with a malicious script.
In the below traffic capture from August, we were served CVE-2018-8174, which is thought to be from the same author. It is interesting to note that this is not an exploit kit, but rather appears to be a single actor who implemented the available Proof of Concept to distribute his payload, the Quasar Remote Administration Tool (RAT).
During our tests with this new variant of CVE-2018-8373, we found it to be quite unstable and failing to detonate its payload via Powershell invocation. However, a working CVE-2018-8174 was still serving the same payload we had captured back in August.
The source code for CVE-2018-8373 has been uploaded to many platforms already (PasteBin, VirusTotal), including to the AnyRun sandbox. That sample triggers the exploit and spawns PowerShell. In the following animation, we replayed this attack to show how our anti-exploit technology is able to mitigate this vulnerability at various levels.
We can expect that other treat actors will be looking at this code for possible implementation. However, unless it is improved, it is unlikely to be integrated into exploit kits, considering that its cousin, CVE-2018-8174, works flawlessly.
Indicators of compromise
Injected adult site
198.211.33[.]67
clubtubes[.]com
Exploit-serving domain
54.191.17[.]130
myswcd[.]com/vol/m3.html,CVE-2018-8373
myswcd[.]com/vol/m2.html,CVE-2018-8174
myswcd[.]com/vol/me.html,CVE-2018-8174
Payload
myswcd[.]com/vol/s1.exe,Loader
myswcd[.]com/vol/v1.exe,Installer
myswcd[.]com/vol/v2.exe,Quasar RAT
7EEF6EF8FED53B7C3BF61BA821F375A0A433EA4CB0185FD223780B729A9A5792
268909BC33F0F8C5312B51570016311E3676AF651A57DE38E42241DCC177B2D6
D9A967D0CAA8DB86FECA3AE469EF6797E81DFDAC4D8531658CB242A87C80CE05
The post Buggy implementation of CVE-2018-8373 vulnerability used to deliver Quasar RAT appeared first on Malwarebytes Labs.
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
7.6 High
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%