A FortiGuard Labs Threat Analysis
As Internet Explorer's share of the browser pie continues to shrink, exploit kits — frameworks hosted by malicious actors to target browser vulnerabilities, particularly for IE — are much less active than before. However, some of them now target geographic regions where IE owns a more sizable part of the market.
Magnitude Exploit Kit is one that continues to target South Korea. At FortiGuard Labs, we discovered a sample that was using a specific technique with VBScript to load the .NET assembly from memory.
The flow for this sample was as follows:
- Ad network 302 redirection
- Magnitude EK 'gate' containing obfuscated JS
- Redirection to a second domain with a VBScript exploit (CVE-2018-8174) and .NET payload
The intermediate page just contains base64 encoded JavaScript.
Full Article.