Date: 26 June 2018
Rig Exploit Kit has been the most active and successful exploit kit so far. According to Cisco Talos researchers, RIG is unique if compared to other exploit kits as it merges different web technologies such as VB Script, Flash, and DoSWF to obfuscate the attack. It has been used to install banking Trojans, ransomware. However, since April 2017 there has been a significant downfall in its activity till it has made a shift into crypto-mining by the distribution of less known coin miners.
Overview
Significant changes have been seen in the Rig Exploit Kit over the past year which has been published in an article published by the Palo Alto Unit 42 team. Rig EK was one the successful exploit kit on the black market in 2017. However, there was a significant decline that was seen in the infections related to the Rig EK according to the Unit 42. If compared with Quarter 3 of 2017 there was about thirty-one percent drop with respect to the Quarter 4 of 2017. Staggering ninety-two percent drop was seen in the traffic attributed to RIG EK in January 2018 as compared to January 2017. Reasons speculated in this drop, might be the continuous effort taken by browser vendors to secure browser-based application and few arrests of Rig EK malware related criminals.
Some notable campaigns like Afraidgate, EITest, and pseudo-Darkleech used Rig EK to distribute Locky, CrptoMix, Cryptosheild, Spora and Cerber ransomware, in Jan 2017. It was identified that out of thirty-nine reports submitted by the Unit 42 team, thirty-six had ransomware as the payload and it was delivered successfully to the victim.
In January 2018, the Unit 42 team saw a divergence in the pattern of payloads in three campaigns they were tracking. Fobos campaign used Bunitu Trojan which is a proxy agent that is set up on victim’s system. Once installed it helps attackers to remotely connect to the victim’s system, as a proxy and then redirect their traffic which leads to possible CPU resource draining and network traffic slowdown. There might be chances of illegal traffic flowing through victim’s systems and use the internet facing system for ransomware dealings.
The Ngay campaign distributed a remote access tool and cryptocurrency mining malware which was pushing the Monero mining malware and it was first observed in December 2017. However, there was a change in the tactics and started delivering the Ramcos malware instead.
Rig EK was used in the Seamless campaign which delivered the Ramnit banking Trojan to the victims after infecting it collects and delivers stolen credential information from victim’s browser and applications to is CnC (Command and control centre) servers.
Rig Exploit Kit even used domain shadowing frequently which helped in avoiding detection. However, RSA Research was able to take down numerous shadow domains associated with the RIG EK. In June 2017, Rig EK started to use IP address instead of domain names to avoid detection and used Base64 encoded strings instead of English words in the URL.
Notable changes in Rig EK
- Payloads: Coin Miners & Info Stealers rather than Ransomwares.
- Network Traffic: From Domains to IPs
IOCs
Fobos Campaign
|
Ngay Campaign
|
Seamless Campaign
|
MD5
IPv4Domains
|
IPv4
Domains
|
IPv4
Domains
|
Conclusion
In comparison to Rig EK January 2017 activities with January 2018, there is a notable deviation. Campaigns using Rig EK are now more focused on coin miners than Ransomwares. However, there has been a drastic decline in its activities but still Rig EK is readily recognisable.
References
https://zerophagemalware.com/2017/07/31/three-rig-ek-campaigns/
https://researchcenter.paloaltonetworks.com/2017/06/unit42-decline-rig-exploit-kit/
https://umbrella.cisco.com/blog/2017/03/29/seamless-campaign-delivers-ramnit-via-rig-ek/
