After some absence, I have returned to blog on Rig EK’s inclusion of CVE-2018-4878. This was reported by @nao_sec and then @kafeine. Initially I had planed to blog about a maldoc. I had obtained a sample of a #ThreadKit document that had recently included this Flash exploit and so I updated my lab in order to display it and give me something to blog about. That’s when I saw the Twitter posts and went hunting for Rig EK instead.
The blog is not so detailed I’m afraid but hopefully the PCAP will be useful to some.
- An article regarding the integration of Flash exploit CVE-2018-4878
- CVE-2018-4878 https://nvd.nist.gov/vuln/detail/CVE-2018-4878
(in password protected zip)
- 09-April-2018-Rig-GandCrab-> PCAP for traffic
- 09-April-2018-Rig-GandCrab-CSV-> IOCs in CSV
- 09-April-2018-GandCrab-Flash -> GandCrab Ransomware and Rig Flash Exploit (on tinyupload due to WP issues)
- GandCrab hash – 4302aac62e41f4355206d49257c3aaae
Details of infection chain:
(click to enlarge!)
|ESET-NOD32||a variant of SWF/Exploit.CVE-2018-4878.J|
|Detection ratio:||9 / 59|
I found this flow relatively quickly after hearing about the implementation of this CVE into Rig EK. Time will tell if this exploit will evolve Rig EK or not.
That is all for now!