A Detailed Look at the Rig Exploit Kit

The Rig exploit Kit (REK) has been widely used to distribute a wide variety of ransomware and Trojan viruses against thousands of computers. Cisco Talos has published an in-depth analysis of the software and we report on these results to give you an overview of its capabilities.

A Detailed Analysis of the Rig Exploit Kit

The rising number of infections that have happened due to malware threats being distributed by the Rig Exploit Kit has provoked the Cisco Talos Security team to make an in-depth investigation of the software.

The exploit kit uses various strategies to infect the computers by utilizing various complex processes. One of the key features of RIG is that it is able to bypass several important security measures, including security software and mechanisms, that are widely used by both individual users and companies.

RIG infects users by compromising various web site hosts and uses Gates to redirect the visitors to its Landing page. A complex chain of redirect links follow which triggers the malware delivery process. The experts traced that the series of redirects use different stages to download the payloads to the target computer. This is done in order to get through some of the mechanisms that anti-malware solutions use. Every intrusion attack is obfuscated for stealth protection and uses complex mechanisms, for example the communication variables are individualized according to the target victim. This makes it difficult to detect the attacks by using network or file filtering options such as sorting by URLs or document names.

Observed Rig Exploit Kit Infections

The security analysts observed that malvertising is used as the main technique for redirecting the users into the infection chain. The observed campaign used code injections that add a download link to the compromised sites that delivers a dangerous Flash file. It creates two malicious iFrames that contains code that downloads the payload from the remote controlled Gate servers. However they are generated at the same time. The second iFrame instance is placed on the web site after a built-in timer is activated. This is made to ensure that the first Flash link has expired.

The Rig exploit kit landing page itself contains obfuscated HTML code with three embedded scripts that are hidden in three JavaScript variables. One of them downloads another malicious and obfuscated Flash file. This is a yet another instance in the big redirection chain.

All of these scripts and Flash files are used to exploit various vulnerabilities on the victim system that are related to the used security mechanisms. The final goal of the criminal developers is the installation of the target payload which is usually a dangerous ransomware strain or a Trojan threat.

To read the detailed report click here to access the Cisco Talos blog post.

Protect yourself from RIG Exploit Kit Threats

DOWNLOAD Anti-Malware Tool

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Was this content helpful?

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts