RIG EK Still Makes Waves, This Time with a Stealthy Backdoor

The main purpose of Grobios malware is to help attacker establish a strong, persistent foothold in a victim’s system, in order to drop additional payloads later.

Exploit kit activity has been declining since the latter half of 2016, but the RIG EK seems to buck the trend. It’s been involved in ongoing activity involving a wide range of crimeware payloads; and the latest campaign saw RIG dropping the Grobios malware, which is tailored to be a really stealthy backdoor.

The campaign was first seen in March by FireEye Labs, redirecting victims (mainly in the U.S.) to a compromised domain with a malicious iframe injected into it. That iframe in turn loads a malvertisement domain, which communicates over SSL and leads to the RIG EK landing page. RIG then loads a malicious Flash file that drops the Grobios trojan.

The trojan’s main hallmark is an impressive arsenal of evasion and anti-sandbox techniques, according to FireEye researchers. It also uses multiple anti-debugging, anti-analysis and anti-VM techniques to hide its behavior and C2 traffic.

“The main purpose of Grobios malware is to help attacker establish a strong foothold in the system by employing various kinds of evasions and anti-VM techniques,” Ali Islam, director of FireEye, told Threatpost. “Once a strong foothold is established, an attacker can drop a payload of his/her choice, which can be anything from an infostealer to ransomware, etc.”

FireEye researchers said in an analysis on Monday that Grobios’ efforts to evade detection are a grab-bag of tactics: The authors have packed the sample with PECompact 2.xx, for one. Also, the unpacked sample has no function entries in the import table; it uses API hashing to obfuscate the names of API functions it calls; it parses the PE header of the DLL files to match the name of a function to its hash; and, the malware uses stack strings.

Also, just before connecting to the C2 server, the malware does a series of checks to detect virtual machines and malware analysis environments. It can detect almost all well-known VM software, including Xen, QEMU, VMWare, Virtualbox, Hyper-V and so on, according to FireEye, and compares the machine against a list of hashes of blacklisted driver names.

For persistence, Grobios gets very aggressive: It drops a copy of itself into an application folder, masquerading as a version of legitimate software installed on the victim machine. It then creates an Autorun registry key and a shortcut in the Windows Startup folder. From there, it drops multiple copies of itself in subfolders of a legitimate program, again masquerading as different versions of installed programs, and sets an Autorun registry key or creates a scheduled task.

The persistence increased the danger of the campaign, because it allows Grobios to lay in wait until its operators are ready to send additional payload drops.

In general, the campaign is interesting given that exploit kits have waned in usage. This is largely because systems are becoming less vulnerable, according to Zain Gardezi, FireEye vulnerability researcher. Users are using a wider variety of browsers and are often disabling Flash, making it harder to infect customers with old patched exploits and lessening the threat surface for those wielding EKs.

“More and more users are shifting towards more secure browsers, and Flash support is slowly dwindling over time as well,” Gardezi said in an interview. “Due to this, cybercriminals are investing in zero-day discoveries that are usable in drive-by attacks rather than [old vulnerabilities and] just simple social engineering campaigns where they have to trust human psychology doing their work for them.”

However, he added that the RIG EK manages to remain quite attractive to attackers that make “spray and pray” tactics their modus operadi, because it’s a generalist with wide appeal.

“[RIG] is usually never the pioneer to add zero-day exploits, and it only follows after other EKs have already incorporated them,” Gardezi explained. “RIG is mainly used by multiple actors that mostly rely on throwing out malvertisements in hopes of infecting as many users as possible. RIG has always been the EK with wider variety of campaigns, in terms of quantity of propagation as well as crimeware variety.”

The moral of the story is that EKs continue to put users at risk – especially those running older versions of software. Enterprises, as always, should make sure their network nodes are fully patched in order to avoid falling victim to this basic threat.


Suggested articles