Today’s most prolific exploit kit is RIG, which has filled a void left by the departure of Angler, Neutrino and Nuclear. That has made it public enemy No. 1 when it comes exploit kits. Now Cisco Talos researchers are hoping to shed new light into the ongoing development of the potent EK in hopes of neutralizing the RIG EK threat.
As with the unraveling of any EK, one of the keys to stopping infection rates is determining infection routes and how adversaries bypass security software and device.
Making matters worse, each separate attack strategy utilizes “dynamically changing encoding and encryption for all files transmitted. Talos dissection of RIG also reveals this technique ensures scripts look different every time an attack session is launched. This, Cisco Talos said “ensures (attackers) can’t be detected by simple string matches or hash values.”
With RIG, when it comes to the delivery of malware files, “the same malware file often gets written and executed multiple times on the victim’s PC. If one method doesn’t work or is blocked by an anti-malware solution, they have a couple of backup methods. All stages and methods are obfuscated, some more, some less,” Cisco Talos wrote.
As part of its RIG campaign analysis Cisco Talos noted that most infections were initiated through compromised websites. “These are websites which were hacked and then the adversaries added malicious code into the website which redirected the user to the gate. The gate then redirects the user to the EK landing page,” according to Holger Unterbrink, the author of the blog.
Stage one of the attack is driving traffic to a compromised website which starts the redirection chain. The compromised website loads a malicious Flash (SWF) file. Next, that Flash file inserts one or two iFrames into the compromised site. Now, the victim’s browser is redirected via the iFrame to the gate.
“The gate – which is nothing else than another web site on another server – does some checks and redirects the user again, but now to the exploit kit landing page – again another web page on another server,” Unterbrink said.
The SWF file is heavily obfuscated by commercial protection software called DoSWF, a professional Flash SWF encryptor. This Flash file itself, creates two malicious iFrames, according to Talos, that are served up inside a malicious website. One is generated instantly, the other is generated and placed into the compromise website a bit later after a timer in the first Flash file times out.
Unterbrink says the reason for the timed delay is unclear, but theorizes it could be as a backup mechanism if the first compromise fails.
One of the scripts hidden inside the RIG EK landing page is a VBscript. “After a couple of tests on the target system, (the VBscript) executes the DoMagic() function, which downloads the main malware payload of the campaign such as ransomware using the URL stored in the script,” according to Talos.
This script then executes another malicious Flash (SWF) file that is once again obfuscated by the DoSWF Flash tool. Talos says it is working on de-obfuscating the code, but for now asserts the code “seems to be a type of shellcode payload which gets decoded at runtime, combined with other strings stored in the SWF, and finally executed by an exploit.”
“The vulnerability exists in the handling of the dashstyle.array length for vml shapes on the vgx.dll module. The exploit has been built and tested specifically against Windows 7 SP1 with Internet Explorer 8,” according to a technical description of MS13-037 by Rapid7.
According to Talos, MS13-037 includes code that drives the victim to a URL to download the final EK malware.
In the campaigns tracked by Cisco Talos for this report, it said payloads included ransomware (mainly CRYPTFILE2 and including Locky and CryptXXX), Trojans (Gamarue and Gootkit) and some broken executables, Unterbrink said.
Protecting against RIG disabling all unnecessary browser plugins, recommends Cisco Talos. “Patching and updating is mandatory for all browsers and their plugins. Any browser with an unpatched outdated Flash plugin will get infected, it is just a question of time,” Unterbrink said. That time horizon, he said will be small. “I would guess something from minutes to a few days, depending on your luck and surfing behavior.”