Dissecting the activities and capabilities of RIG Exploit Kit
- Over the past years, the exploit kit has been observed installing various malware ranging from banking trojans to ransomware.
- However, since 2017, there has been a major shift in its activity and is being now used to deliver cryptominers as well.
RIG exploit kit, next to the prolific Fallout exploit kit, is the most actively used exploit kit. RIG is unique when compared to other exploit kits as it merges different web technologies such as VB Script, Flash and DoSWF to evade detection.
RIG was first spotted in 2014. Over the past years, the exploit kit has been observed installing various malware ranging from banking trojans to ransomware. However, since 2017, there has been a major shift in its activity and is being now used to deliver cryptominers as well.
Going by the previous records, the exploit kit has been majorly involved in the delivery of different ransomware such as CryptoShield 1.0, Spora, Revenge, PyCL, Matrix, GandCrab and more. The exploit kit was also used to deliver trojans such as Ramnit, Pony, AZORult, and Grobois.
Some notable campaigns like Afraidgate, EITest and pseudo-Darkleech used RIG EK to distribute Locky, CryptoMis, Cryptosheild, Spora and Cerber ransomware in 2017.
In 2015, an updated version of the original version of RIG EK, labeled RIG 3.0 was discovered by researchers at Trustwave. At the time of discovery, the RIG 3.0 had already infected 1.25 million people at an average rate of 27,000 machines per day. Other than delivering malware, the improved EK was used by hackers to spread malvertising and exploiting flaws in Flash, Java, and Microsoft Silverlight.
Two months ago, the RIG exploit kit’s future was in danger after an unhappy customer leaked the exploit code of RIG 2.0 across the web. Hackers saw this as an opportunity to leverage the code and work on the same to develop an improvised version.
RIG EK uses the traditional drive-by-download attack to compromise a victim’s computer. Here, the attackers look for insecure websites and inject malicious scripts into HTTP or PHP code on one of the pages. These scripts may install malware directly on to the computer or someone who visits the site or it may take the form of an IFRAME that redirects the victims to a site that is controlled by victims. Once the user clicks on an insecure URL, it downloads code on the machine exploiting a UAF vulnerability in Flash. The exploit is wrapped in multiple layers of obfuscation using AES and other encryption algorithms.
“The exploit’s payload is a piece of shellcode that is supposed to download the encoded URL that was passed from the landing page’s body and attached at the end of the shellcode and execute it on the victim’s machine in order to infect it, the final malware payload can be anything from Ransomware to Banking Trojan to RAT according to the EK operator’s goals on the victim machine,” said security researchers from RSA in a blog post.
RIG EK was even observed using the domain shadowing technique frequently to avoid detection. In June 2017, RIG started to use IP addresses instead of domain names to evade detection and used Base64 encoded strings instead of English words in the URL.