**T** **H** **U** **R** **S** **D** **A** **Y** **,** **J** **A** **N** **U** **A** **R** **Y** # RIGGING COMPROMISE - RIG EXPLOIT KIT **_This post was authored by_** **_[Nick Biasini with contributions by Joel Esler.](http://blogs.cisco.com/author/NickBiasini)_** **Exploit Kits are one of the biggest threats that affects users, both inside and outside the** **enterprise, as it indiscriminately compromises simply by visiting a web site, delivering a** **malicious payload. One of the challenges with exploit kits is at any given time there are** **numerous kits active on the Internet. RIG is one of these exploit kits that is always around** **delivering malicious payloads to unsuspecting users. RIG first appeared in our telemetry�** **[back in November of 2013, back then we referred to it as](http://blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html)** **[Goon, today it's known as RIG.](http://blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html)** **We started focusing on RIG and found some interesting data similar to what we found** **[while analyzing Angler. This post will discuss RIG, findings in the data, and what actions�](http://www.talosintel.com/angler-exposed/)** **were taken as a result.** ## THE EXPLOIT KIT OVERVIEW **RIG compromises users like any exploit kit. It starts with a user being redirected to a** **landing page. This is done via malicious iframes or malvertising and looks similar the** **following:** **It begins with an initial link to a javascript:** ----- **This page is just a simple iframe that retrieves the actual landing page. The request for the** **landing page looks like:** **When the user is actually delivered a landing page, it is highly obfuscated and lacks some** **of the English based text we see in other exploit kits. Below is a small sample of the** **obfuscated landing page:** ----- **After probing the browser RIG delivers an exploit to the end user. Below is an example of** **flash exploit that RIG was delivering:�** **One interesting aspect of RIG is the actual payload is obtained in a separate GET request.** **We usually see the exploit and payload delivered together or at least delivered in a highly** **obfuscated manner, not a GET request delivering an actual executable. This is not the** **case for RIG. Below is a sample of the GET request for the malicious payload:** ----- **system. RIG tries to hide as legitimate services on Windows platforms. Common** **examples included defsrag.exe, dissdkchk.exe, systemrestore.exe. These are designed to** **look similar to defrag, diskchk, and the system restore functionality in Windows. However,** **in all cases these files were dropped in to TEMP folders instead of SYSTEM32 where they�** **would be expected to be located.** ## THE DATA **RIG exploit kit is steadily compromising users, below is a sample of the data we gathered** **over two months related to systems serving RIG exploit kit. Users were being driven to** **RIG through malicious iframes and malvertising. The overall volume of activity was lower,** **affecting hundreds of users, instead of the thousands we saw impacted by Angler.** **DOMAIN ACTIVITY** **An analysis of the data associated with RIG revealed some familiar patterns. First was the** **use of domain shadowing. We found that domain shadowing is currently being used** **exclusively to host RIG, unlike with Angler, we were unable to find other domain activity�** **during the two month period. This particular use of domain shadowing has interesting** **aspects related to the subdomains themselves. RIG is using very short string based** **subdomains ranging from english based words like admin, user, news, and server. Also** ----- **RIG over several months. The activity was spread evenly among those subdomains with** **few having more than 10 hits in the months of activity and the majority having less than** **five.�** **REFERERS** **RIG, like most exploit kits, is getting users infected via the use of malicious iframes** **injected in websites and malvertising. There were a couple of interesting things that we** **observed in the data. First is the use of Google and Bing in the redirection chain. We have** **seen this before in Nuclear exploit kit and this will provide an extra layer in the chain to** **help ensure users are getting to the landing pages. The second interesting fact dealt with** **the volume, there were more than 60 unique referers observed over the two month period** **but the average volume was low with most having less than five entries.�** **EXPLOITS** **During the two month period shown here we saw RIG using Flash to compromise** **systems. The primary exploit being used was CVE-2015-5119. We saw a total of 30** **unique hashes being used to compromise systems during the two month period. 70% of** **those hashes were known by VirusTotal and had some protection from an AV perspective.** **Despite that users were still being compromised and malicious payloads were being** **delivered.** **PAYLOADS** ----- **g** **payload were variants of Tofsee which is a spam botnet. The way these payloads work is** **by sending large amounts of spam email related to various topics. Spambot payloads** **were very common to exploit kits several years ago, but most have moved on to payloads** **that guarantee quick monetization. The use of these payloads by RIG is an interesting** **differentiator from other exploit kits Talos has been observing.** **Most of the payloads we found had very good detection on VirusTotal with most being** **detected by more than half of the AV vendors. Again, despite this RIG continues to** **successfully compromise users that are primarily using versions of Internet Explorer on** **Windows platforms, based on the user agent information.** **IP Infrastructure** **This is the most interesting aspect of our RIG research. We observed 44 different IP** **addresses delivering some form of RIG. As shown above you can see that on most days** **there were only one or two IP's actively hosting RIG.** **When we resolved the IP's to the associated ASN we found something surprising. With the** **exception of a single IP address all IP's belonged to the same ASN (35415).** ----- **This particular ASN is associated with Webzilla, a provider out of Russia. Further** **investigation actually revealed that all of the addresses were leased to Eurobyte, which is** **another Russian provider. Talos reached out to both providers giving them the information** **regarding the hosts that we observed serving RIG. Webzilla responded and identified the�** **customers that were generating the events and blocked the hosts successfully. Below is a** **graph showing the RIG activity we observed during our investigation:** ----- **Monitoring the amount of RIG activity after our notification, we have consistently seen new�** **servers that are being hosted by Eurobyte being stood up and compromising users via** **RIG. We again reached out to Eurobyte to try and get a response directly from the** **provider where the malicious activity is being hosted. Despite multiple emails to Eurobyte** **RIG activity continued as new addresses get stood up after being reported to WebZilla.** **This underscores one of the major problems we face today, leaf providers. As providers** **could have multiple downstream leaf providers we find that we routinely have success in�** **dealing with larger providers. These providers help get systems shut down, but without the** **cooperation of the smaller downstream providers the adversaries just stand up new** **servers and move on. We were able to inflict some damage to RIG during our�** **investigation, but were unable to actually get the actors behind the activity stopped.** ## RESPONSE **Since Eurobyte chose not to acknowledge or respond to our repeated messages we did a** **little further research on the activity associated with the provider. We worked with our** **research partners at OpenDNS Labs to get better visibility into the domains that were** **hosted. Based on our research we found a total of seven class C networks owned by the** **provider, with one of the class C's serving as their corporate network. Based on the** **information from OpenDNS provided we found approximately 25,000 domains being** **hosted on this address space. These domains were heavily leveraging the Russian TLD** **(.ru), as expected. Three of the class C networks were seen serving RIG during the** **period. We took the domains that OpenDNS provided and queried them against Talos’s** **automated web reputation. We found that of the six class C address spaces that are being** **used by Eurobyte five were scored significantly negatively in web reputation. The only�** **exception was one Class C network that was hosting the Russian payment platform e-** **autopaycom.** **Based on all this information and Eurobytes failure to respond or even acknowledge abuse** **requests Talos and OpenDNS have decided to blacklist the five suspect subnets for a�** ----- **address spaces to Cisco s IP and Domain intelligence blacklists. These blacklists are** **leveraged by multiple Cisco security products and will effectively protect our customers** **from any activity from this provider. This includes all technologies that consume our** **reputation services. The advantage of these blacklists, as well as our Advanced Malware** **Protection with our fantastic AMP line of products is, this detection adapts and changes in** **real time to the threat.** **Additionally, after reviewing the data provided by OpenDNS we worked with them to make** **sure that the threat was mitigated from their perspective as well. We found that the** **majority of the address space was already being blocked by OpenDNS, but we were able** **to round out the protection and make sure that Eurobyte won't be serving malicious** **content to both Cisco and OpenDNS customers. For additional information on how** **[OpenDNS has been tracking RIG please see the following blog from the most recent talk](https://labs.opendns.com/2015/11/19/sprank-and-ip-space-monitoring/)** **[at Brucon.](https://www.youtube.com/watch?v=8edBgoHXnwg)** ## DETECTION **Talos’s unparalleled visibility into threat data allows us to automatically adjust protection** **for our customers based upon real-world visibility into data. Convicting IPs, Domains,** **affecting the reputation of files in our AMP products, easily turning any of our data�** **collection systems against each other, each updating quickly to protect every single one of** **Cisco’s security customers against the threat in real-time, and continuously.** ## IOC **IP INFORMATION** **46.30.42.0/24** **46.30.43.0/24** **46 30 44 0/24** ----- **[DOMAIN INFORMATION (TEXT FILE)](http://blogs.cisco.com/wp-content/uploads/rig_domains_unique.txt)** ## CONCLUSION **The exploit kit problem is larger than just Angler. However, the news related to exploit kits** **has been largely focused on Angler in 2015, now Angler seems to be on a temporary** **vacation since the end of 2015. This is expected with the sophistication, scope, and** **innovation that Angler incorporates. However, as evidenced by this research, it doesn't** **take innovation and sophistication to compromise users. RIG exploit kit is steadily and** **consistently compromising users and delivering malicious payloads. Visibility into the other** **exploit kits is valuable and necessary to help shed light on the behavior and identify the** **providers they are leveraging to help protect and educate the community.** **Additionally, this research shed light on the problem of leaf providers. Providers are in a** **tough spot with lots of systems and limited resources. That was one of the driving force** **behind** **[Project Aspis, to help aid providers by providing resources to help them identify](http://www.talosintel.com/aspis/)** **and mitigate these threats. It's understandable that malicious activity is going to occur at** **hosting providers. It's impossible for them to know the intentions of a customer when they** **are purchasing systems. At the same time when a provider is notified of malicious activity�** **it is their responsibility to at least acknowledge the abuse and work to validate and, if** **legitimate, take the system offline. Webzilla did just that in our experience, but Eurobyte�** **has not. This lack of response lead Talos to make the decision to blacklist large portions of** **the provider's network to ensure that our customers are protected since reporting the** **abuse alone is not enough.** ## COVERAGE **[Advanced Malware Protection (AMP) is](http://www.cisco.com/c/en/us/support/security/amp-firepower-software-license/tsd-products-support-series-home.html)** **ideally suited to prevent the execution** **of the malware used by these threat** **actors.** **[CWS or](http://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html)** **[WSA web scanning prevents](http://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html)** **access to malicious websites and** **detects malware used in these attacks.** **[The Network Security protection of IPS](http://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html)** **and** **[NGFW have up-to-date signatures](http://www.cisco.com/c/en/us/products/security/asa-next-generation-firewall-services/index.html)** **to detect malicious network activity by threat actors.** ----- **L** **A** **E** **B** **[X](http://blog.talosintel.com/search/label/exploit kit)** **E** **P** **L,** **M** **L** **[S](http://blog.talosintel.com/search/label/Malware)** **A** **O** **:** **,** **RL** **I** **,** **TWI** **T** **HGA** **RRK** **EEI** **AT** **T** **R** **E** **S** **S** **H** **A** **R** **E** **T** **H** **I** **S** **P** **O** **S** **T** **2 COMMENTS:** **[CONRAD LONGMORE JANUARY 9, 2016 AT 6:15 PM](https://www.blogger.com/profile/11751822299235747323)** **As it happens, I'm just running an analysis on sites hosted by Eurobyte LLC either** **currently on in the past, using a somewhat different data set. So far, out of 7500** **sites analysed, 35% are tagged by Google as being malicious. This probably** **means that many of the other 65% are also bad, but they just haven't been tagged.** **The Eurobyte LLC range is actually a bit bigger than you specify, they rent the** **entire 46.30.40.0/21 range from Webzilla. The /24s you are missing are:** **46.30.40.0/24** **46.30.41.0/24** **46.30.47.0/24** **Webzilla also provide services for the fairly notorious McHost.ru in the** **178.208.64.0/19 range.** **[Reply](javascript:;)** **[Replies](javascript:;)** **[NICK BIASINI JANUARY 11, 2016 AT 1:24 PM](https://www.blogger.com/profile/11420644688145888259)** **Thanks for the info Conrad. We chose not to block several of the ranges** **since they were either hosting legitimate activity or were the corporate** **address space for Eurobyte.** **Reply** ----- **Comment as:** **[Select profile...]** **[Select profile...]** **PreviewPreview** **POST A COMMENT** **N** **E** **W** **E** **R** **P** **O** **S** **T** **PublishPublish** **H** **O** **M** **E** **O** **L** **P** **O** **S** **U** **B** **SP** **CO** **RS** **IT** **B** **EC** **O** **T** **M** **O** **M** **:** **E** **N** **T** **S** **S** **E** **A** **R** **C** **H** **T** **H** **E** **B** **L** **O** **G** **Search** **S** **U** **B** **S** **C** **R** **I** **B** **E** **T** **O** **O** **U** **R** **Posts** **Comments** **B** **L** **O** **G** **A** **R** **C** **H** **I** **V** **E** **[▼ 2](javascript:void(0))** **0(3)** **1** **6** **[▼ J](javascript:void(0))** **A** **(3)N** **U** **A** **R** **Y** **[Research Spotlight: Needles in a Haystack](http://blog.talosintel.com/2016/01/haystack.html)** **[Microsoft Patch Tuesday - January 2016](http://blog.talosintel.com/2016/01/ms-tuesday.html)** **Rigging compromise - RIG Exploit Kit** **[► 2](javascript:void(0))** **0(62)** **1** **5** **[► 2](javascript:void(0))** **0(67)** **1** **4** ----- **[► 2](javascript:void(0))** **0(23)** **1** **1** **[► 2](javascript:void(0))** **0(94)** **1** **0** **[► 2](javascript:void(0))** **0(146)** **0** **9** **[► 2](javascript:void(0))** **0(41)** **0** **8** **R** **E** **C** **O** **M** **M** **E** **N** **D** **E** **D** **B** **L** **O** **G** **C** **I** **S** **C** **O** **B** **L** **O** **G** **[Cisco Partner Weekly Rewind – January 22, 2016](http://blogs.cisco.com/partner/cisco-partner-weekly-rewind-january-22-2016)** **S** **N** **O** **R** **T** **B** **L** **O** **G** **[Snort Subscriber Rule Set Update for 01/21/2016](http://feedproxy.google.com/~r/Snort/~3/yQE5HLUrqug/snort-subscriber-rule-set-update-for_21.html)** **C** **L** **A** **M** **A** **V** **®** **B** **L** **O** **G** **[ClamAV 0.99 Release is the largest ever!](http://feedproxy.google.com/~r/Clamav/~3/VYtOu9B9Dq8/clamav-099-release-is-largest-ever.html)** **[Software](http://talosintel.com/software)** **[Community](http://talosintel.com/community)** **[Vulnerability Reports](http://talosintel.com/vulnerability-reports)** **[Additional Resources](http://talosintel.com/additional-resources)** **[Microsoft to SID Mapping Archive](http://talosintel.com/ms-advisory-rules)** **[Shared Object Rule Generator](http://talosintel.com/so-rule-generator)** **[IP Blacklist Download](http://talosintel.com/feeds/ip-filter.blf)** **[AWBO Exercises](http://talosintel.com/awbo)** **[About Talos](http://talosintel.com/about)** **[Join Our Team](http://talosintel.com/careers)** **[Contact](http://talosintel.com/contact/)** **[Blog](http://blog.talosintel.com)** **CONNECT WITH US** ----- -----