Rig Exploit Kit - Responsible For At Least One-Third Of Malware In 2016

· Read in about 2 min · (341 Words)
blacklisted website malware removal malicious javascript

There is no such thing as a perfect web application. Some software vulnerabilities have been there since the very first application was created. The majority of today's exploitation can lead to the automatic execution of arbitrary codes without the users' permission. In this post, we show the Rig Exploit Kit's attack flow. Quttera's malware researchers uncovered and removed this malware for one of our ThreatSign customer websites.

Rig Exploit Kit has been thunderous, and it is widely used by the hackers to distribute malware over the internet. The malware authors used the term "RIG" because of the architecture that allows binding to virtually anything to form the foundation of a successful attack. Approximately 26.6% of the hacking attacks this year used the Rig to distribute the malware.

Let's dig into the Rig Exploit Kit once the attack has been setup:

16-10-2016-1.png

The traffic above is just a sample of a successful attack of RIG.

RIG Exploit Kit (RIG EK) - Landing Page:

Usually, the landing page refers to the redirected page of the main site. This site contains the encrypted code that will eventually send a request to another malicious site to download and execute the payload.

This is what a heavily obfuscated code of RIG EK looks like:

16-10-2016-2.png

After the first layer of deobfuscation:

16-10-2016-3.png

After the next layer:

16-10-2016-4.png

After the last layer:

16-10-2016-5.png

Now, this decrypted codes are being generated during runtime. Hence, the code is statically invisible through the PCAP (packet capture).

RIG EK also checks the victims' computers for any browser-based vulnerabilities. As you can see at the bottom of the image, this attack serves another exploit, in this report, it is an SWF exploit, which traditionally the one that downloads and executes the payload (usually a ransomware).

Your website is infected with the malware or blacklisted?

Here at Quttera we are cleaning this and other kinds of malware on a daily basis. If you would like our malware analysts to help you, just select appropriate ThreatSign! Anti-Malware plan and get back online.

For other issues and help: Quttera help-desk

Malware clean-up and hacking recovery for websites

Get your website cleaned and removed from blacklists. Prevent traffic loss and protect your visitors now.

Emergency

$249

/ yr
1 Website
Initial Response Time
within 4 hrs.
Manual Malware Removal / Full Website Audit
Blacklisting removal
Web Application Firewall (DNS-based WAF or Endpoint WAF)
Virtual Patching and website hardening
Free SSL Certificate with the DNS-based Web Application Firewall
all features...
Create Account
Essential Security

$10

/ mo
1 Website
Initial Response Time
within 12 hrs.
Web Application Firewall (DNS-based WAF or Endpoint WAF)
Virtual Patching and website hardening
Free SSL Certificate with the DNS-based Web Application Firewall
External & Internal Malware Scanning
all features...
Create Account

more plans

Need help? contactus@quttera.com

Newsletter

Join our mailing list to receive free email updates

Subscribe now


Latest Posts
tag
© 2023 Quttera Ltd. All rights reserved.