There is no such thing as a perfect web application. Some software vulnerabilities have been there since the very first application was created. The majority of today's exploitation can lead to the automatic execution of arbitrary codes without the users' permission. In this post, we show the Rig Exploit Kit's attack flow. Quttera's malware researchers uncovered and removed this malware for one of our ThreatSign customer websites.

Rig Exploit Kit has been thunderous, and it is widely used by the hackers to distribute malware over the internet. The malware authors used the term "RIG" because of the architecture that allows binding to virtually anything to form the foundation of a successful attack. Approximately 26.6% of the hacking attacks this year used the Rig to distribute the malware.

The traffic above is just a sample of a successful attack of RIG.

Usually, the landing page refers to the redirected page of the main site. This site contains the encrypted code that will eventually send a request to another malicious site to download and execute the payload.

This is what a heavily obfuscated code of RIG EK looks like:

After the first layer of deobfuscation:

After the second layer of deobfuscation:

After the third layer of deobfuscation:

Now, these decrypted codes are being generated during runtime. Hence, the code is statically invisible through the PCAP (packet capture).

RIG EK also checks the victims' computers for any browser-based vulnerabilities. As you can see at the bottom of the image, this attack serves another exploit, in this report, it is an SWF exploit, which traditionally the one that downloads and executes the payload (usually a ransomware).

Here at Quttera we are cleaning this and other kinds of malware on a daily basis. If you would like our malware analysts to help you, just select appropriate ThreatSign! Anti-Malware plan and get back online.

For other issues and help: Quttera help-desk