{
	"id": "52f93651-89f3-4ff9-acc5-a475e2b68739",
	"created_at": "2026-04-06T02:10:46.366807Z",
	"updated_at": "2026-04-10T13:12:32.707953Z",
	"deleted_at": null,
	"sha1_hash": "2e963fc3d0b26b8f683b2c2120019e9841633667",
	"title": "A Deep Dive Into RIG Exploit Kit Delivering Grobios Trojan | Mandiant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1448374,
	"plain_text": "A Deep Dive Into RIG Exploit Kit Delivering Grobios Trojan |\r\nMandiant\r\nBy Mandiant\r\nPublished: 2018-05-14 · Archived: 2026-04-06 01:48:28 UTC\r\nWritten by: Irshad Muhammad, Shahzad Ahmed, Hassan Faizan, Zain Gardezi\r\nAs discussed in previous blogs, exploit kit activity has been on the decline since the latter half of 2016. However,\r\nwe do still periodically observe significant developments in this space, and we have been observing interesting\r\nongoing activity involving RIG Exploit Kit (EK). Although the volume of its traffic observed in-the-wild has been\r\non the decline, RIG EK remains active, with a wide range of associated crimeware payloads.\r\nIn this recent finding, RIG EK was observed delivering a Trojan named Grobios. This blog post will discuss this\r\nTrojan in depth with a focus on its evasion and anti-sandbox techniques, but first let’s take a quick look at the\r\nattack flow. Figure 1 shows the entire infection chain for the activity we observed.\r\nFigure 1: Infection chain\r\nWe first observed redirects to RIG EK on Mar. 10, 2018, from the compromised domain, latorre[.]com[.]au, which\r\nhad a malicious iframe injected to it (Figure 2).\r\nFigure 2: Malicious Iframe injected in latorre[.]com\r\nhttps://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html\r\nPage 1 of 11\n\nThe iframe loads a malvertisement domain, which communicates over SSL (certificate shown in Figure 3) and\r\nleads to the RIG EK landing page that loads the malicious Flash file (Figure 4).\r\nFigure 3: Malicious SSL flow\r\nFigure 4: RIG EK SWF download request\r\nWhen opened, the Flash file drops the Grobios Trojan. Figure 5 shows the callback traffic from the Grobios\r\nTrojan.\r\nhttps://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html\r\nPage 2 of 11\n\nFigure 5: Grobios callback\r\nAnalysis of the Dropped Malware\r\nGrobios uses various techniques to evade detection and gain persistence on the machine, which makes it hard for\r\nit to be uninstalled or to go inactive on the victim machine. It also uses multiple anti-debugging, anti-analysis and\r\nanti-VM techniques to hide its behavior. After successful installation on the victim machine, it connects to its\r\ncommand and control (C2) server, which responds with commands.\r\nIn an effort to evade static detection, the authors have packed the sample with PECompact 2.xx. The unpacked\r\nsample has no function entries in the import table. It uses API hashing to obfuscate the names of API functions it\r\ncalls and parses the PE header of the DLL files to match the name of a function to its hash. The malware also uses\r\nstack strings. Figure 6 shows an example of the malware calling WinApi using the hashes.\r\nFigure 6: An example of calling WinAPI using their hashes.\r\nLoading\r\nThe malware sample starts a copy of itself, which further injects its code into svchost.exe or IEXPLORE.EXE\r\ndepending on the user privilege level. Both parent and child quit after injection is complete. Only\r\nsvchost.exe/IEXPLORE.EXE keeps running. Figure 7 shows the process tree.\r\nFigure 7: Process tree of the malware\r\nPersistence\r\nThe malware has an aggressive approach to persistence. It employs the following techniques:\r\nhttps://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html\r\nPage 3 of 11\n\nIt drops a copy of itself into the %APPDATA% folder, masquerading as a version of legitimate software\r\ninstalled on the victim machine. It creates an Autorun registry key and a shortcut in the Windows Startup\r\nfolder. During our analysis, it dropped itself to the following path:\r\n%APPDATA%\\Google\\v2.1.13554\\\u003cRandomName\u003e.exe. \r\nThe path can vary depending on the folders the malware finds in %APPDATA%.\r\nIt drops multiple copies of itself in subfolders of a program at the path\r\n%ProgramFiles%/%PROGRAMFILES(X86)%,  again masquerading as a different version of the installed\r\nprogram, and sets an Autorun registry key or creates a scheduled task.\r\nIt drops a copy itself in the %Temp% folder, and creates a scheduled task to run it.\r\nOn an infected system, the malware creates two scheduled tasks, as shown in Figure 8.\r\nFigure 8: Scheduled tasks created by the malware\r\nThe malware changes the file Created, Modified, and Accessed times of all of its dropped copies to the Last\r\nModified time of ntdll.dll. To bypass the “File Downloaded from the Internet” warning, the malware removes the\r\n:Zone.Identifier flag using DeleteFile API, as shown in Figure 9.\r\nFigure 9: Call to DeleteFileW to remove the :Zone.Identifier Flag from the dropped copy\r\nAn interesting behavior of this malware is that it protects its copy in the %TEMP% folder using EFS (Windows\r\nEncrypted File System), as seen in Figure 10.\r\nFigure 10: Cipher Command Shows the Malware Copy Protected by EFS\r\nDetecting VM and Malware Analysis Tools\r\nJust before connecting to the C2, the malware does a series of checks to detect the VM and malware analysis\r\nenvironment. It can detect almost all well-known VM software, including Xen, QEMU, VMWare, Virtualbox,\r\nHyper-V, and so on. The following is the list of checks it performs on the victim system:\r\nUsing the FindWindowEx API, it checks whether any of the analysis tools in Table 1 are running on the\r\nsystem.\r\nhttps://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html\r\nPage 4 of 11\n\nAnalysis Tools\r\nPacketSniffer\r\nFileMon\r\nWinDbg\r\nProcess Explorer\r\nOllyDbg\r\nSmartSniff\r\ncwmonitor\r\nSniffer\r\nWireshark\r\nTable 1: Analysis tools detected by malware\r\nThe malware contains a list of hashes of blacklisted process names. It checks whether the hash of any of\r\nrunning process matches a hash on the blacklist, as shown in Figure 11.\r\nFigure 11: Check for blacklisted processes\r\nWe were able to crack the hashes of the blacklisted processes shown in Table 2.\r\nHash Process\r\n283ADE38h vmware.exe\r\n8A64214Bh vmount2.exe\r\n13A5F93h vmusrvc.exe\r\n0F00A9026h vmsrvc.exe\r\nhttps://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html\r\nPage 5 of 11\n\n0C96B0F73h vboxservice.exe\r\n0A1308D40h vboxtray.exe\r\n0E7A01D35h xenservice.exe\r\n205FAB41h joeboxserver.exe\r\n6F651D58h joeboxcontrol.exe\r\n8A703DD9h wireshark.exe\r\n1F758DBh Sniffhit.exe\r\n0CEF3A27Ch sysAnalyzer.exe\r\n6FDE1C18h Filemon.exe\r\n54A04220h procexp.exe\r\n0A17C90B4h Procmon.exe\r\n7215026Ah Regmon.exe\r\n788FCF87h autoruns.exe\r\n0A2BF507Ch  \r\n0A9046A7Dh  \r\nTable 2: Blacklisted processes\r\nThe malware enumerates registry keys in the following paths to see if they contain the words xen or\r\nVBOX:\r\nHKLM\\HARDWARE\\ACPI\\DSDT\r\nHKLM\\HARDWARE\\ACPI\\FADT\r\nHKLM\\HARDWARE\\ACPI\\RSDT\r\nIt checks whether services installed on the system contain any of the keywords in Table 3:\r\nvmmouse vmdebug vmicexchange vmicshutdown vmicvss\r\nvmicheartbeat msvmmouf VBoxMouse vpcuhub vpc-s3\r\nvpcbus vmx86 vmware VMMEMCTL VMTools\r\nXenVMM xenvdb xensvc xennet6 xennet\r\nxenevtchn VBoxSF VBoxGuest    \r\nTable 3: Blacklisted service names\r\nhttps://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html\r\nPage 6 of 11\n\nIt checks whether the username contains any of these words: MALWARE, VIRUS, SANDBOX,\r\nMALTEST\r\nIt has a list of hashes of blacklisted driver names. It traverses the windows driver directory\r\n%WINDIR%\\system32\\drivers\\ using FindFirstFile/FindNextFile APIs to check if the hash of the name of\r\nany drivers matches with that of any blacklisted driver's name, as shown in Table 4.\r\nHash Driver\r\n0E687412Fh hgfs.sys\r\n5A6850A1h vmhgfs.sys\r\n0CA5B452h prleth.sys\r\n0F9E3EE20h prlfs.sys\r\n0E79628D7h prlmouse.sys\r\n68C96B8Ah prlvideo.sys\r\n0EEA0F1C2h prl_pv32.sys\r\n443458C9h vpcs3.sys\r\n2F337B97h vmsrvc.sys\r\n4D95FD80h vmx86.sys\r\n0EB7E0625h vmnet.sys\r\nTable 4: Hashes of blacklisted driver names\r\nIt calculates the hash of ProductId and matches it with three blacklisted hashes to detect public sandboxes,\r\nshown in Table 5.\r\nHash Product Id Sandbox Name\r\n4D8711F4h 76487-337-8429955-22614 Anubis Sanbox\r\n7EBAB69Ch 76487-644-3177037-23510 CWSandbox\r\nD573F44D 55274-640-2673064-23950 Joe Sandbox\r\nTable 5: Blacklisted product IDs\r\nThe malware calculates the hash of loaded module (DLL) names and compares them with the list of hashes\r\nof blacklisted module names shown in Table 6. These are the DLLs commonly loaded into the process\r\nbeing debugged, such as dbhelp.dll and api_log.dll.\r\nhttps://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html\r\nPage 7 of 11\n\n6FEC47C1h 6C8B2973h 0AF6D9F74h 49A4A30h 3FA86C7Dh\r\nTable 6: Blacklisted module names hashes\r\nFigure 12 shows the flow of code that checks for blacklisted module hashes.\r\nFigure 12: Code checks for blacklisted module hashes\r\nIt checks whether Registry keys present at the path\r\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum and\r\nhttps://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html\r\nPage 8 of 11\n\nHKLM\\SYSTEM\\ControlSet001\\Services\\Disk\\Enum contain any of these words: QEMU, VBOX,\r\nVMWARE, VIRTUAL\r\nIt checks whether registry keys at the path HKLM\\SOFTWARE\\Microsoft, HKLM\\SOFTWARE contain\r\nthese words: VirtualMachine, vmware, Hyber-V\r\nIt checks whether the system bios version present at registry path\r\nHKLM\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion contains these words: QEMU,\r\nBOCHS, VBOX\r\nIt checks whether the video bios version present at registry path\r\nHKLM\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion contains VIRTUALBOX substring.\r\nIt checks whether the registry key at path HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus\r\n0\\Target Id 0\\Logical Unit Id 0\\Identifier contains any of these words: QEMU,vbox, vmware\r\nIt checks whether the registry key HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions exists on the\r\nsystem.\r\nNetwork Communication\r\nThe malware contains two hardcoded obfuscated C2s. After de-obfuscating the C2 URLs, it generates a random\r\nstring of 20 characters, appends it to the end of URL, and sends the request for commands. Before it executes the\r\ncommands, the malware verifies the identity of the C2. It calculates the hash of 4 bytes of data using the\r\nCALG_MD5 algorithm. It then uses the Base64 data from the CERT command as a Public Key in\r\nCryptVerifySignature to verify the hash signature (Figure 13). If the signature is verified, the malware executes the\r\ncommands.\r\nFigure 13: Malware verifies the C2 hash\r\nDuring our initial analysis, we found that the malware supports the commands shown in Table 7.\r\nhttps://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html\r\nPage 9 of 11\n\nCommand Description\r\nCERT Contains the data used to verify the identity of the C2\r\nCONNECT Connect to given host for further commands\r\nDISCONNECT Close all the connections\r\nWAIT Wait for the number of seconds before executing the next commands\r\nREJECT Kind of NOP. Move on to next command after waiting for 5 second\r\nTable 7: Commands supported by malware\r\nFigure 14 shows commands being issued by the C2 server.\r\nFigure 14: Commands issued by the C2 server\r\nConclusion\r\nDespite the decline in activity, exploit kits still continue to put users at risk – especially those running older\r\nversions of software. Enterprises need to make sure their network nodes are fully patched.\r\nAll FireEye products detect the malware in our MVX engine. Additionally, FireEye Network Security blocks\r\ndelivery at the infection point.\r\nIndicators of Compromise (IOCs)\r\n30f03b09d2073e415a843a4a1d8341af\r\n99787d194cbd629d12ef172874e82738\r\n169.239.129[.]17\r\ngrobiosgueng[.]su\r\nAcknowledgments\r\nWe acknowledge Mariam Muntaha for her contribution to the blog regarding malicious traffic analysis.\r\nhttps://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html\r\nPage 10 of 11\n\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html\r\nhttps://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html"
	],
	"report_names": [
		"deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775441446,
	"ts_updated_at": 1775826752,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2e963fc3d0b26b8f683b2c2120019e9841633667.pdf",
		"text": "https://archive.orkl.eu/2e963fc3d0b26b8f683b2c2120019e9841633667.txt",
		"img": "https://archive.orkl.eu/2e963fc3d0b26b8f683b2c2120019e9841633667.jpg"
	}
}