{"id":13441,"date":"2018-09-26T10:10:09","date_gmt":"2018-09-26T18:10:09","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/09\/26\/news-7208\/"},"modified":"2018-09-26T10:10:09","modified_gmt":"2018-09-26T18:10:09","slug":"news-7208","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/09\/26\/news-7208\/","title":{"rendered":"Buggy implementation of CVE-2018-8373 vulnerability used to deliver Quasar RAT"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Wed, 26 Sep 2018 17:13:26 +0000<\/strong><\/p>\n

A variant of a\u00a0remote code execution vulnerability with Internet Explorer’s scripting engine known as CVE-2018-8373\u00a0patched last August<\/a> has been found in the wild. Looking at the IOCs posted by our colleagues at TrendMicro<\/a>, we recognized the infrastructure serving this exploit. The same static domain has been active since at least early July<\/a>, and is being redirected to from an adult website injected with a malicious script.<\/p>\n

In the below traffic capture from August, we were served CVE-2018-8174<\/a>, which is thought<\/a> to be from the same author. It is interesting to note that this is not an exploit kit, but rather appears to be a single actor who implemented the available Proof of Concept to distribute his payload, the Quasar Remote Administration Tool (RAT).<\/p>\n

\"\"<\/a><\/p>\n

During our tests with this new variant of\u00a0CVE-2018-8373, we found it to be quite unstable and failing to detonate its payload via Powershell invocation. However, a working CVE-2018-8174 was still serving the same payload we had captured back in August.<\/p>\n

\"\"<\/a><\/p>\n

The source code for CVE-2018-8373 has been uploaded to many platforms already (PasteBin<\/a>, VirusTotal<\/a>), including to the AnyRun<\/a> sandbox. That sample triggers the exploit and spawns PowerShell.\u00a0In the following animation, we replayed this attack to show how our anti-exploit technology<\/a> is able to mitigate this vulnerability at various levels.<\/p>\n

\"\"<\/a><\/p>\n

We can expect that other treat actors will be looking at this code for possible implementation. However, unless it is improved, it is unlikely to be integrated into exploit kits, considering that its cousin, CVE-2018-8174, works flawlessly.<\/p>\n

Indicators of compromise<\/h3>\n

Injected adult site<\/p>\n

198.211.33.67  clubtubes[.]com<\/pre>\n
Exploit serving domain<\/p>\n
54.191.17.130  myswcd[.]com\/vol\/m3.html,CVE-2018-8373  myswcd[.]com\/vol\/m2.html,CVE-2018-8174  myswcd[.]com\/vol\/me.html,CVE-2018-8174<\/pre>\n
Payload<\/p>\n
myswcd[.]com\/vol\/s1.exe,Loader  myswcd[.]com\/vol\/v1.exe,Installer  myswcd[.]com\/vol\/v2.exe,Quasar RAT  7EEF6EF8FED53B7C3BF61BA821F375A0A433EA4CB0185FD223780B729A9A5792  268909BC33F0F8C5312B51570016311E3676AF651A57DE38E42241DCC177B2D6  D9A967D0CAA8DB86FECA3AE469EF6797E81DFDAC4D8531658CB242A87C80CE05<\/pre>\n
The post Buggy implementation of CVE-2018-8373 vulnerability used to deliver Quasar RAT<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n
https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Credit to Author: J\u00e9r\u00f4me Segura| Date: Wed, 26 Sep 2018 17:13:26 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
A threat actor implements a newer vulnerability exploited in Internet Explorer to serve up the Quasar RAT and diversify the portfolio of attacks.<\/p>\n
Categories: <\/p>\n