RIG Exploit Kit Download 2018 | RIG Exploit Kit Analysis

Date: 26 June 2018

Featured Image

Rig Exploit Kit has been the most active and successful exploit kit so far. According to Cisco Talos researchers, RIG is unique if compared to other exploit kits as it merges different web technologies such as VB Script, Flash, and DoSWF to obfuscate the attack. It has been used to install banking Trojans, ransomware. However, since April 2017 there has been a significant downfall in its activity till it has made a shift into crypto-mining by the distribution of less known coin miners.

Overview

RIG-Exploit-Kit

Significant changes have been seen in the Rig Exploit Kit over the past year which has been published in an article published by the Palo Alto Unit 42 team. Rig EK was one the successful exploit kit on the black market in 2017. However, there was a significant decline that was seen in the infections related to the Rig EK according to the Unit 42. If compared with Quarter 3 of 2017 there was about thirty-one percent drop with respect to the Quarter 4 of 2017. Staggering ninety-two percent drop was seen in the traffic attributed to RIG EK in January 2018 as compared to January 2017. Reasons speculated in this drop, might be the continuous effort taken by browser vendors to secure browser-based application and few arrests of Rig EK malware related criminals.

Some notable campaigns like Afraidgate, EITest, and pseudo-Darkleech used Rig EK to distribute Locky, CrptoMix, Cryptosheild, Spora and Cerber ransomware, in Jan 2017. It was identified that out of thirty-nine reports submitted by the Unit 42 team, thirty-six had ransomware as the payload and it was delivered successfully to the victim.

In January 2018, the Unit 42 team saw a divergence in the pattern of payloads in three campaigns they were tracking. Fobos campaign used Bunitu Trojan which is a proxy agent that is set up on victim’s system. Once installed it helps attackers to remotely connect to the victim’s system, as a proxy and then redirect their traffic which leads to possible CPU resource draining and network traffic slowdown. There might be chances of illegal traffic flowing through victim’s systems and use the internet facing system for ransomware dealings.

The Ngay campaign distributed a remote access tool and cryptocurrency mining malware which was pushing the Monero mining malware and it was first observed in December 2017. However, there was a change in the tactics and started delivering the Ramcos malware instead.

Rig EK was used in the Seamless campaign which delivered the Ramnit banking Trojan to the victims after infecting it collects and delivers stolen credential information from victim’s browser and applications to is CnC (Command and control centre) servers.

Rig Exploit Kit even used domain shadowing frequently which helped in avoiding detection. However, RSA Research was able to take down numerous shadow domains associated with the RIG EK. In June 2017, Rig EK started to use IP address instead of domain names to avoid detection and used Base64 encoded strings instead of English words in the URL.

Notable changes in Rig EK

  • Payloads: Coin Miners & Info Stealers rather than Ransomwares.
  • Network Traffic: From Domains to IPs

IOCs

Fobos Campaign

 

Ngay Campaign

 

Seamless Campaign

 

MD5

 

IPv4

Domains

 

IPv4

Domains

 

IPv4

Domains

 

 

Conclusion

In comparison to Rig EK January 2017 activities with January 2018, there is a notable deviation. Campaigns using Rig EK are now more focused on coin miners than Ransomwares. However, there has been a drastic decline in its activities but still Rig EK is readily recognisable.

 References

https://zerophagemalware.com/2017/07/31/three-rig-ek-campaigns/

https://researchcenter.paloaltonetworks.com/2018/02/unit42-rig-ek-one-year-later-from-ransomware-to-coin-miners-and-information-stealers/

https://researchcenter.paloaltonetworks.com/2017/06/unit42-decline-rig-exploit-kit/

https://exchange.xforce.ibmcloud.com/collection/From-Ransomware-to-Mining-Rig-Exploit-Kit-7a463c24f93309fc8d79709940497166

https://umbrella.cisco.com/blog/2017/03/29/seamless-campaign-delivers-ramnit-via-rig-ek/