Rig Exploit Kit - Responsible For At Least One-Third Of Malware In 2016

· Read in about 2 min · (341 Words)

There is no such thing as a perfect web application. Some software vulnerabilities have been there since the very first application was created. The majority of today's exploitation can lead to the automatic execution of arbitrary codes without the users' permission. In this post, we show the Rig Exploit Kit's attack flow. Quttera's malware researchers uncovered and removed this malware for one of our ThreatSign customer websites.

Rig Exploit Kit has been thunderous, and it is widely used by the hackers to distribute malware over the internet. The malware authors used the term "RIG" because of the architecture that allows binding to virtually anything to form the foundation of a successful attack. Approximately 26.6% of the hacking attacks this year used the Rig to distribute the malware.

Let's dig into the Rig Exploit Kit once the attack has been setup:

16-10-2016-1.png

The traffic above is just a sample of a successful attack of RIG.

RIG Exploit Kit (RIG EK) - Landing Page:

Usually, the landing page refers to the redirected page of the main site. This site contains the encrypted code that will eventually send a request to another malicious site to download and execute the payload.

This is what a heavily obfuscated code of RIG EK looks like:

16-10-2016-2.png

After the first layer of deobfuscation:

16-10-2016-3.png

After the next layer:

16-10-2016-4.png

After the last layer:

16-10-2016-5.png

Now, this decrypted codes are being generated during runtime. Hence, the code is statically invisible through the PCAP (packet capture).

RIG EK also checks the victims' computers for any browser-based vulnerabilities. As you can see at the bottom of the image, this attack serves another exploit, in this report, it is an SWF exploit, which traditionally the one that downloads and executes the payload (usually a ransomware).

Your website is infected with the malware or blacklisted?

Here at Quttera we are cleaning this and other kinds of malware on a daily basis. If you would like our malware analysts to help you, just select appropriate ThreatSign! Anti-Malware plan and get back online.

For other issues and help: Quttera help-desk

Malware clean-up and hacking recovery for websites

Get your website cleaned and removed from blacklists. Prevent traffic loss and protect your visitors now.

economy

119$

/yr

1 domain
Blacklisting removal
Malware clean-up
Daily malware scanning
Malware scan reports by email
Re-scan anytime
Create Account
professional

399$

/yr

5 domains
Blacklisting removal
Malware clean-up
Daily malware scanning
Malware scan reports by email
Re-scan anytime
Create Account

more plans

Need help? contactus@quttera.com

Newsletter

What's in newsletter?

Example newsletter



© 2017 Quttera Ltd. All rights reserved.