RIG Exploit Kit (EK)
Analysis conducted by Palo Alto compared activity levels, malware payloads and network traffic characteristics from the RIG Exploit Kit (EK) between January 2017 and January 2018. RIG EK was the most prominent and popular EK across 2016, but has since seen a significant decline in its use. The decline in itself is interesting, but the identification by Palo Alto of recent developments in its use has much more business impact.
RIG EK’s decline has been observed since April 2017. Palo Alto views this as the result of arrests and “vendor efforts to fortify browsers and browser-based applications”. Additionally, malicious actors shifted their focus to other types of exploits, with the example of various Microsoft Office vulnerabilities evident. Similarly, actors also began using the phishing attack vector.
Firstly, the decline in RIG is not related to obfuscation or anti-detection techniques, although efforts had been made by the authors to include such components. Domain shadowing was removed and replaced with IP addresses. Base64-encoded strings were also used where the exploit kit had previously used English text in domains. The move from domain shadowing was forced upon the malware’s authors. In June 2017 a coordinated effort, documented by RSA Research, took down associated domain shadowing infrastructure.
The payload of RIG has also adapted. Analysis by Palo Alto highlighted that 36 out of 39 previous campaigns linked to RIG were used to send different types of ransomware, such as Locky, CryptoMix, CryptoShield and Spora. This has since changed to incorporate the ‘malware of the moment’, crypto miners. Specifically, Ramnit, Remcos RAT, coin miners and GandCrab ransomware were identified.
The threat from RIG EK has somewhat diminished but remains significant. As previously reported, crypto miners in themselves are on the lower end of the malware spectrum when comparing impact to business. The initial infection method however, still requires remediation to prevent subsequent infections. In the profile by Palo Alto, evidence of the exploit kit switching from crypto miner to an infostealer was presented. Although the frequency of attacks has changed and is likely to remain low, the payload’s change is likely only temporary in nature.