Inside the RIG Exploit Kit

In a deep analysis of RIG, Cisco Talos team outlined the way the exploit kit combines different web technologies such as DoSWF, JavaScript, Flash and VBscript to obfuscate attacks.

Today’s most prolific exploit kit is RIG, which has filled a void left by the departure of Angler, Neutrino and Nuclear. That has made it public enemy No. 1 when it comes exploit kits. Now Cisco Talos researchers are hoping to shed new light into the ongoing development of the potent EK in hopes of neutralizing the RIG EK threat.

As with the unraveling of any EK, one of the keys to stopping infection rates is determining infection routes and how adversaries bypass security software and device.

In a deep analysis of RIG, Cisco Talos team outlined recently the unique nature of the exploit kit. In a nutshell, like other exploit kits the crew behind RIG are using gates to redirect their victims to their exploit kit. But what makes RIG unique, according Cisco Talos researchers is the way RIG combines different web technologies, such as DoSWF, JavaScript, Flash and VBscript to obfuscate the attack.

Making matters worse, each separate attack strategy utilizes “dynamically changing encoding and encryption for all files transmitted. Talos dissection of RIG also reveals this technique ensures scripts look different every time an attack session is launched. This, Cisco Talos said “ensures (attackers) can’t be detected by simple string matches or hash values.”

At the heart of the RIG attack, researchers say, is a three-pronged attack strategy that leverages either a JavaScript, Flash, VBscript-based attacks as needed.

With RIG, when it comes to the delivery of malware files, “the same malware file often gets written and executed multiple times on the victim’s PC. If one method doesn’t work or is blocked by an anti-malware solution, they have a couple of backup methods. All stages and methods are obfuscated, some more, some less,” Cisco Talos wrote.

As part of its RIG campaign analysis Cisco Talos noted that most infections were initiated through compromised websites. “These are websites which were hacked and then the adversaries added malicious code into the website which redirected the user to the gate. The gate then redirects the user to the EK landing page,” according to Holger Unterbrink, the author of the blog.

To a lesser extent, Unterbrink said, other RIG campaigns used gates which were using malvertising techniques, redirecting traffic to the adversary’s infection chain. Here victims are funneled into either a JavaScript, Flash, VBscript-based attack. In the end, all of these scripts are downloading and execute the same malware file which the exploit kit wants to install on the victim’s machine.

Stage one of the attack is driving traffic to a compromised website which starts the redirection chain. The compromised website loads a malicious Flash (SWF) file. Next, that Flash file inserts one or two iFrames into the compromised site. Now, the victim’s browser is redirected via the iFrame to the gate.

“The gate – which is nothing else than another web site on another server – does some checks and redirects the user again, but now to the exploit kit landing page – again another web page on another server,” Unterbrink said.

Lastly, the exploit kit landing page includes three JavaScript variables – a JavaScript which loads a Flash (SWF) exploit, a VBscript with an exploit, and a third JavaScript that also contains an exploit. “This is a very complex infection chain with all of these steps using their own obfuscation techniques,” Unterbrink said.

The SWF file is heavily obfuscated by commercial protection software called DoSWF, a professional Flash SWF encryptor. This Flash file itself, creates two malicious iFrames, according to Talos, that are served up inside a malicious website. One is generated instantly, the other is generated and placed into the compromise website a bit later after a timer in the first Flash file times out.

Unterbrink says the reason for the timed delay is unclear, but theorizes it could be as a backup mechanism if the first compromise fails.

Next, depending on vulnerabilities in the victim’s browser, either iFrame, both filled with JavaScript code, redirects the victim to the RIG exploit kits landing page. Here the victim’s browser is faced with three embedded scripts hidden inside corresponding JavaScript variables.

One of the scripts hidden inside the RIG EK landing page is a VBscript. “After a couple of tests on the target system, (the VBscript) executes the DoMagic() function, which downloads the main malware payload of the campaign such as ransomware using the URL stored in the script,” according to Talos.

A second script is also present on the RIG EK landing page that has the capability of inserts random comments such as “/*sw7586sdd*/” in between the JavaScript code used, Talos notes. “These comments are changed per session, which means that the Base64 encoded blob looks different in every session,” Talos researcher wrote in a technical write up outlining their research.

This script then executes another malicious Flash (SWF) file that is once again obfuscated by the DoSWF Flash tool. Talos says it is working on de-obfuscating the code, but for now asserts the code “seems to be a type of shellcode payload which gets decoded at runtime, combined with other strings stored in the SWF, and finally executed by an exploit.”

The remaining JavaScript file in the RIG exploit kit landing page, according to Talos, is exploiting CVE-2013-2551 (aka MS13-037) to download and infect the victim. MS13-037 is a vulnerability that exploits an integer overflow vulnerability on Internet Explorer, according to a Microsoft security bulletin from May 2013.

“The vulnerability exists in the handling of the dashstyle.array length for vml shapes on the vgx.dll module. The exploit has been built and tested specifically against Windows 7 SP1 with Internet Explorer 8,” according to a technical description of MS13-037 by Rapid7.

According to Talos, MS13-037 includes code that drives the victim to a URL to download the final EK malware.

In the campaigns tracked by Cisco Talos for this report, it said payloads included ransomware (mainly CRYPTFILE2 and including Locky and CryptXXX), Trojans (Gamarue and Gootkit) and some broken executables, Unterbrink said.

Protecting against RIG disabling all unnecessary browser plugins, recommends Cisco Talos. “Patching and updating is mandatory for all browsers and their plugins. Any browser with an unpatched outdated Flash plugin will get infected, it is just a question of time,” Unterbrink said. That time horizon, he said will be small. “I would guess something from minutes to a few days, depending on your luck and surfing behavior.”

Suggested articles