A look into some RIG exploit kit campaigns

A look into some RIG exploit kit campaigns

In the past few weeks we’ve talked about the Neutrino and Magnitude exploit kits. This time, we take a look at RIG EK and in particular at various distribution channels and payloads.

Like most exploit kits, RIG relies on compromised sites and malvertising as its source of traffic but is one of the less sophisticated EKs due to its use of older exploits. For instance, its Flash exploit (CVE-2015-8651) was patched in late December 2015 whereas other EKs are using a more recent Flash exploit from May 2016 (CVE-2016-4117).

SWF_exploit
RIG EK exploiting Flash 20.0.0.228 (CVE-2015-8651)

Despite a less potent engine, RIG EK still generates a fair amount of traffic via several malware campaigns. The redirection mechanism from compromised site or malvertising to RIG EK is either done server side (302 redirects) or client side (iframe, JavaScript).

Different malware campaigns may represent different customers of the exploit kit (which can explain the various malware payloads), or the same individual diversifying his operations for redundancy purposes. One surprise with the samples we collected below is the absence of ransomware, a payload that is usually very prevalent with other exploit kits. Instead, we see bots and stealers that are thoroughly packed and obfuscated.

Campaigns overview:

flow2

The naming convention here is very basic as we picked some string or pattern that was unique for each campaign and used it as a label to differentiate it from others. As a note, there are probably additional variants, and other gates we have not documented here.

302 redirect

_302_

The 302 redirect path, as its name indicates it, uses server side 302 redirection to RIG EK’s landing page. For the most part, these are hacked sites that still load their content and perform the redirect.

Payload:

gonext

_gonext_

This is one of the most active campaigns easily recognizable by the use of redirectors from certain TLDs, such as .top, and HTML files largely obfuscated with naming patterns such as lobo.phtml. The ultimate redirect to RIG relies on a 302, from a fairly static domain name (i.e. artisticplaces.net).

Payload:

randphp

_phpid_

This distribution path is also very popular and leverages compromised sites injected with JavaScript that redirects to an intermediary site using a randomly named php file that contains an iframe to RIG EK.

Payload:

trk

_trk_

This campaign is based on malvertising that uses a two level redirection: a spammy/dummy site and a tracker which logs stats via a Google Analytics account and redirects to RIG EK via iframe.

Payload:

vollumne

_vollumne_

This is yet another malvertising based campaign that funnels all traffic via vollumne.com, a domain registered to gianafyn410@yahoo.com (Russia). It uses a simple 302 redirect (server side) mechanism to RIG EK.

Payload:

Custom redirector

_customredir_

This attack path appears to use hacked or bogus domains stuffed with other content (porn, viagra, other ads). It may also be linked via malvertising and the redirection mechanism to RIG EK happens thanks to an iframe tag injected at the bottom of the home page.

Payload:

IPredir

_ipredir_

This is another easily recognizable attack with a custom redirector (i.e. casinoplayerall.online) and a redirect to a hardcoded IP address (i.e. 131.72.136.46) performing the final redirection to RIG EK.

Payload:

IPredirvariant

IPredirvariant

More recently we started seeing this redirect mechanism. These campaigns are malvertising driven, and lead to a harcoded IP address owned by threat actors.

Payload:

Malshadow

malshadow

Malvertising based attack path with the use of domain shadowing as the redirector to RIG EK.

Payload:

Conclusion

The demise of Nuclear EK and the mysterious disappearance of Angler EK, by far two of the more sophisticated exploit kits to date, has lead to a new playing field where even smaller actors get increased exposure. Neutrino took the first spot and is used for high profile attacks via malvertising and a number of popular gates via hacked sites.

We continue to see RIG EK in malvertising attacks with low quality traffic and the tried and tested hacked sites distribution path, which all in all is very similar to Magnitude EK, except for the latter having an advantage with a better Flash exploit.

Malwarebytes Anti-Exploit customers continue to be protected against the RIG exploit kit.

Special thanks to @hasherezade for help with payload analysis!

IOCs:

Payloads (SHA256 dump)

gonext

  • artisticplaces[.]net/lobo.phtml?gonext=true&r=
  • biomasspelletplant2[.]xyz/lobo.html
  • biomasspelletplant3[.]xyz/lobo.html
  • biomasspelletplant4[.]xyz/lobo.html
  • biomasspelletplant5[.]xyz/lobo.html
  • biomasspelletplant6[.]xyz/lobo.html
  • biomasspelletplant7[.]top/lobo.html
  • biomasspelletplant[.]xyz/lobo.html
  • 24x7apple[.]com/sp1.phtml?gonext=
  • affordableaffairsbyyoli[.]com/spm.phtml?gonext=
  • analyticsonjs[.]com/analytics.phtml?gonext=
  • balkanlight[.]com/bro.phtml?gonext=
  • blockmycalls[.]com/sm.phtml?gonext=
  • buzzinarea[.]com/immo.phtml?gonext=
  • capemadefieldguide.org/dan.phtml?gonext=
  • capemadefieldguide.org/ram.phtml?gonext=
  • clothes2017.club/oly.phtml?gonext=
  • cookingschoolonline.us/bro.phtml?gonext=
  • dadadeo[.]com/jes.phtml?gonext=
  • easyastrologyoraclecards[.]com/bruno.phtml?gonext=
  • ebldf[.]com/bruno.phtml?gonext=
  • enkorepartners[.]com/bruno.phtml?gonext=
  • gstatistics[.]com/stat.phtml?gonext=
  • henrymountjoy[.]com/sm.phtml?gonext=
  • littlebungas[.]com/myst.phtml?gonext=
  • mikeandangelina[.]com/myst.phtml?gonext=
  • molodinoska[.]com/bro.phtml?gonext=
  • monmariemakeupartist[.]com/sp1.phtml?gonext=
  • monsterbungas[.]com/myst2.phtml?gonext=
  • religiousapproaches[.]com/ch.phtml?gonext=
  • religiouslandscape[.]com/ch2.phtml?gonext=
  • siliconvalleydreams[.]com/oly.phtml?gonext=
  • snovels[.]com/myst.phtml?gonext=
  • svdreams[.]com/oly.phtml?gonext=
  • tequilabuch[.]com/bro.phtml?gonext=
  • thebookoneducation[.]com/bro.phtml?gonext=
  • thebookoneducation[.]com/laze2.phtml?gonext=
  • thebookoneducation[.]com/laze.phtml?gonext=
  • thebookoneducation[.]com/may.phtml?gonext=
  • thecasinobank[.]com/buggy.phtml?gonext=
  • wordpresscache.org/bro.phtml?gonext=
  • wordpresscache.org/youshynec.phtml?gonext=
  • youthadvocatecoaching[.]com/shi.phtml?gonext=
randphp
  • 103rdcomposite[.]net/forums/db/g3hbzckj.php?id=8548176
  • az.mediancard[.]com/8xrvwbkd.php?id=8141864
  • bitina[.]com/wqjkt8m2.php?id=12866788
  • e-bannerstand[.]com/nycy2z8t.php?id=11726031
  • ekitab[.]net/7thwcbvz.php?id=11741674
  • fh380968.bget[.]ru/templates/stets1/hhwbwny9.php
  • filosofia.top/j6fn3dfl.php?id=8294815
  • forum.wloclawek[.]pl/dmzxkcbr.php?id=14338552
  • gaptaquara[.]com.br/gkxpdffh.php?id=8231629
  • gv-pk[.]com/bfnmvvlw.php?id=7912878
  • illirico18[.]it/v98vrpz6.php?id=8247670
  • jobroom.nichost[.]ru/zpgrkljm.php?id=10810290
  • kromespb[.]ru/_VTI_CNF/rpwbr3gt.php?id=8519025
  • louisiana-indonesia[.]com/qc8nf2nc.php?id=8324784
  • multiporn[.]us/milfs/rzhxpbr8.php?id=1266474
  • ocenem1.nichost[.]ru/ndpvy6rk.php?id=10810290
  • russianbiker.de/4hyrb3fk.php?id=8062768
  • shop.universalauto[.]ru/x6m2byg8.php?id=8295668
  • tobiasdesigns[.]com/ckjvgphz.php?id=8426416
  • ugasac[.]com/webapp/sigemave/3cdnvtkn.php?id=8186035
  • waterjet-cutter[.]com/lc6jxqkv.php?id=15783431
  • www.bma[.]com.ua/vk63ntzy.php?id=2259041
  • www.hima-haven[.]com/rmbwj7ld.php?id=8118993
  • www.nspiredsigns[.]com/pfmj94vq.php?id=15876656
  • www.rospravo[.]ru/k67cpfnn.php?id=8673574
IPredir
  • 131.72.136.46/css/style.php
  • 185.86.77.27/css/style.php
  • 84.200.84.230/css/style.php
IPredirvariant
  • 91.218.114.24/html/index.php?voluumdata
Malshadow
  • ads.adwirknetwork.com

ABOUT THE AUTHOR

Jérôme Segura

Sr Director, Research