RIG Exploit Pack

A new exploit pack has been marketed in the underground since last month and appears to be picking up some steam. The new pack is called RIG and touts the following exploits:

Java – CVE-2012-0507, CVE-2013-2465
IE 7/8/9 – CVE-2013-2551
IE 10 – CVE-2013-0322
Flash – CVE-2013-0634
Silverlight – CVE-2013-0074

2014-05-12_01

The pack is said to have an average rate of 8-12% and costs $60 per day or $300 per week.

Here’s what a typical infection chain looks like. Look closely and you can see why this is being pegged as Infinity EK. There are similarities but they are different packs.

2014-05-12_02

On a compromised website, the iframe tag leads to the TDS rotator:

2014-05-12_03

If everything checks out then you get another iframe (the bottom part of the page appears to be a tracker):

2014-05-12_04

On the counter.php page, there’s yet another iframe. This time you get to the landing page of the exploit pack:

2014-05-12_05

The landing page is a large file and consists of five scripts. The top section, through some misdirection and obfuscation, assigns a value of “body” to the “vx” variable which is used by the following four scripts.

2014-05-12_06

Each of the four scripts looks something similar to this. All it’s doing is building up decimal values that are on each line preceding with “pop” to the variable “bui” which is then converted to ASCII and appended to the body element.

2014-05-12_07

This is the result after deobfuscating one of the scripts. This sets up the Java exploit.

2014-05-12_08

Here’s one for Silverlight. You can see the URL to the exploit followed by the shellcode in Base64.

2014-05-12_09

The D&E shellcodes which are passed as a parameter to the exploit code are XOR-encoded each with it’s own unique five-value hex key.

2014-05-12_10

Since the landing page contains all of these scripts, you get hit with several exploits at once leading to multiple payloads asking to bypass UAC. It’s very noisy and inefficient.

2014-05-12_11

If the exploit is successful, the payload is downloaded and executed and then requests are made to the following sites to download crimeware:

zemmes-gimbl .com/b/shoe/1928
chanse-leaf .com/com_phocaguestbook/jquery/

Files called “UpdateFlashPlayer_[random].exe” are downloaded to the temp folder with the hidden attribute set which prompts the user incessantly.

File: applet.jar
MD5: 9c6317f0c22b0782fac5858d0c4c4886
VT: 4/52

File: flash1.swf
MD5: 65aff3a3774298b3ed5ba2c43f8a1979
VT: 0/52

File: flash2.swf
MD5: 40fd69626f5248012b6d5bd2e4d2fc9b
VT: 0/52

File: 264078.exe
MD5: e4f53ece665e71955bf8f9170e3324a1
VT: 9/52

File: ewuwxeu.exe
MD5: ea8dbf470fb0dc41e10d2dcf69f53153
VT: 14/52

File: UpdateFlashPlayer_5386a177.exe
MD5: 60b1cbb5d9af6125d011bd7306afec64
VT: 2/51

File: UpdateFlashPlayer_9609e705.exe
MD5: 8caf8b2f7198bc757541a93267447460
VT: 10/52

This entry was posted in Exploit Packs and tagged , . Bookmark the permalink.