{"id":1117,"date":"2024-08-29T04:18:25","date_gmt":"2024-08-29T04:18:25","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=1117"},"modified":"2025-07-28T13:42:00","modified_gmt":"2025-07-28T13:42:00","slug":"crib-notes-rig-exploit-kit-derigged","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/crib-notes-rig-exploit-kit-derigged\/","title":{"rendered":"Crib Notes: RIG exploit kit \u2013 derigged?"},"content":{"rendered":"<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img fetchpriority=\"high\" decoding=\"async\" width=\"500\" height=\"281\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/08\/rig-exploit-kit-derigged_featured_img.jpg\" alt=\"\" class=\"wp-image-1125\" style=\"width:550px;height:auto\"\/><\/figure>\n<\/div>\n\n\n<p>Today we\u2019re going to look at the \u2018forward scout\u2019 of the cybercrime world \u2013 the exploit kit. An exploit kit is a software package \u2013 usually bundled together with various pieces of ransomware and sold on the dark web. It is designed to first find vulnerabilities on a machine before exploiting them.&nbsp;<\/p>\n\n\n\n<p>There is an entire ecosystem of various exploit kits, but today we\u2019ll focus on RIG because there\u2019s been some exciting recent developments with this variant.<\/p>\n\n\n\n<p>Recently: In late March this year, 40,000 illegal subdomains were taken down in a joint effort between hosting provider GoDaddy, RSA, and a team of other security firms.<\/p>\n\n\n\n<p>These malicious subdomains were created after domain owners\u2019 credentials were stolen in a process known as \u2018domain shadowing\u2019. After being set up, the subdomains acted as \u2018gates\u2019, redirecting victims to IP addresses\u2014mostly in Eastern Europe\u2014hosting the exploit kit.<\/p>\n\n\n\n<p>RIG was one of the primary exploit kits affected in the takedown, as can be seen in the below graph from Palo Alto:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/08\/rig-exploit-kit-derigged-img1.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>Note the steep decline after the March subdomain takedown.<\/p>\n\n\n\n<p>Despite the effort\u2019s obvious success, researchers warn that it will be impossible to completely eradicate RIG\u2019s illegal subdomains.&nbsp;<\/p>\n\n\n\n<p><strong>Propagation:<\/strong><\/p>\n\n\n\n<p>To understand the RIG exploit kit, we first have to look at how it spreads. The diagram below illustrates this:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/08\/rig-exploit-kit-derigged-img2.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>RIG is known to use malvertising redirection to hijack legitimate traffic (normal website) and send it to the exploit kit gateway. Similarly, malicious URLs\/shadow domains (compromised website) and spam (spam links) also send traffic to gateway. Once here, traffic is then redirected to the landing page where the relevant malware, based on the victim\u2019s specific vulnerabilities, is identified and executed. We\u2019ll look at this in further depth later.<\/p>\n\n\n\n<p>Technically:<\/p>\n\n\n\n<p>The reason the takedown had such a drastic effect is that despite also using malvertising and spam to propagate, shadow domains were RIG\u2019s primary traffic redirection method. That said, let\u2019s take a closer at how RIG channels traffic.<\/p>\n\n\n\n<p>The below code is the LoadURL function which is invoked for driving the traffic to the landing page:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/08\/rig-exploit-kit-derigged-img3.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>Next, the exploit checks which browser the victim uses:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/08\/rig-exploit-kit-derigged-img4.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>Once the browser check is complete, the URL redirector is invoked to send traffic to the exploit landing page:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/08\/rig-exploit-kit-derigged-img5.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>As mentioned earlier, the landing page is where the actual exploit is loaded onto the victim\u2019s machine. One such Flash vulnerability scenario is outlined below:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img decoding=\"async\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/08\/rig-exploit-kit-derigged-img6.png\" alt=\"\" style=\"width:643px;height:auto\"\/><\/figure>\n\n\n\n<p>Parameter \u2018param name=FlashVars\u2019 is followed by an obfuscated value. The object type on which the exploit is applicable can be seen in the highlighted object type, \u2018application\/x-shockwave-flash\u2019.<\/p>\n\n\n\n<p>We also looked into the major malware and ransomware variants RIG has dropped onto victim machines and found:<\/p>\n\n\n\n<p>\u2022&nbsp;&nbsp; &nbsp;DreamBot<\/p>\n\n\n\n<p>\u2022&nbsp;&nbsp; &nbsp;Philadelphia Ransomware<\/p>\n\n\n\n<p>\u2022&nbsp;&nbsp; &nbsp;Locky ransomware<\/p>\n\n\n\n<p>\u2022&nbsp;&nbsp; &nbsp;Cerber<\/p>\n\n\n\n<p>\u2022&nbsp;&nbsp; &nbsp;Nemucod<\/p>\n\n\n\n<p>\u2022&nbsp;&nbsp; &nbsp;Cryptomix<\/p>\n\n\n\n<p>\u2022&nbsp;&nbsp; &nbsp;Matrix Ransomware<\/p>\n\n\n\n<p>\u2022&nbsp;&nbsp; &nbsp;Zloader&nbsp;<\/p>\n\n\n\n<p><strong>Prevalence:&nbsp;<\/strong><\/p>\n\n\n\n<p>The below graph from Proofpoint shows RIG\u2019s popularity throughout 2016:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/08\/rig-exploit-kit-derigged-img7.png\" alt=\"\"\/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Today we\u2019re going to look at the \u2018forward scout\u2019 of the cybercrime world \u2013 the exploit kit. An exploit kit is a software package \u2013 usually bundled together with various pieces of ransomware and sold on the dark web. It is designed to first find vulnerabilities on a machine before exploiting them.\u00a0There is an entire ecosystem of various exploit kits, but today we\u2019ll focus on RIG because there\u2019s been some exciting recent developments with this variant.<\/p>\n","protected":false},"author":1,"featured_media":1125,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-1117","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1117","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=1117"}],"version-history":[{"count":4,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1117\/revisions"}],"predecessor-version":[{"id":4448,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1117\/revisions\/4448"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/1125"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=1117"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=1117"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=1117"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}