RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique (Jun 28, 2018)
FireEye researchers have observed the RIG Exploit Kit (EK) delivering a dropper that leverages the recently discovered "PROPagate" injection technique. The injected code downloads and executes a Monero cryptominer. The infection begins by a user visiting a compromised website with an injected iframe. The iframe loads the RIG EK landing page that uses three different vulnerabilities (CVE-2015-2419, CVE-2016-0189, CVE-2018-4878) in attempts to drop a Nullsoft Scriptable Install System (NSIS) loader. The loader uses the PROPagate technique to inject shellcode into "explorer.exe." The shellcode downloads and installs a Monero miner.
Recommendation: Exploit kits have become one of the most common types of crimeware currently available to the less than sophisticated threat actor. The kits, put together by skilled actors, are then sold to criminal groups as easily deployable exploitation frameworks. The best protection from exploit kits is through employee education in combination with keeping web browsing software (including extensions such as flash and java) up to date at all times, as well as operating system software. Users should be educated on how to browse the web as safely as possible, and to report any suspicious symptoms observed on their devices to IT/secops immediately. In the case of a compromise by RIG, the infected system must be wiped and reformatted.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.