RIG Exploit Pack

A new exploit pack has been marketed in the underground since last month and appears to be picking up some steam. The new pack is called RIG and touts the following exploits:

  • Java - CVE-2012-0507, CVE-2013-2465
  • IE 7/8/9 - CVE-2013-2551
  • IE 10 - CVE-2013-0322
  • Flash - CVE-2013-0634
  • Silverlight - CVE-2013-0074

The pack is said to have an average rate of 8-12% and costs $60 per day or $300 per week.

Here's what a typical infection chain looks like. Look closely and you can see why this is being pegged as Infinity EK. There are similarities but they are different packs.

On a compromised website, the iframe tag leads to the TDS rotator:

If everything checks out then you get another iframe (the bottom part of the page appears to be a tracker):

On the counter.php page, there's yet another iframe. This time you get to the landing page of the exploit pack:

The landing page is a large file and consists of five scripts. The top section, through some misdirection and obfuscation, assigns a value of "body" to the "vx" variable which is used by the following four scripts.

Each of the four scripts looks something similar to this. All it's doing is building up decimal values that are on each line preceding with "pop" to the variable "bui" which is then converted to ASCII and appended to the body element.

This is the result after deobfuscating one of the scripts. This sets up the Java exploit.

Here's one for Silverlight. You can see the URL to the exploit followed by the shellcode in Base64.

The D&E shellcodes which are passed as a parameter to the exploit code are XOR-encoded each with it's own unique five-value hex key.

Since the landing page contains all of these scripts, you get hit with several exploits at once leading to multiple payloads asking to bypass UAC. It's very noisy.

If the exploit is successful, the payload is downloaded and executed and then requests are made to the following sites to download crimeware:

zemmes-gimbl[.]com/b/shoe/1928
chanse-leaf[.]com/com_phocaguestbook/jquery/

A file called "UpdateFlashPlayer_[random].exe" is downloaded to the temp folder with the hidden attribute set which prompts the user incessantly.

File: applet.jar
MD5: 9c6317f0c22b0782fac5858d0c4c4886
VT: 4/52

File: flash1.swf
MD5: 65aff3a3774298b3ed5ba2c43f8a1979
VT: 0/52

File: flash2.swf
MD5: 40fd69626f5248012b6d5bd2e4d2fc9b
VT: 0/52

File: 264078.exe
MD5: e4f53ece665e71955bf8f9170e3324a1
VT: 9/52

File: ewuwxeu.exe
MD5: ea8dbf470fb0dc41e10d2dcf69f53153
VT: 14/52

File: UpdateFlashPlayer_5386a177.exe
MD5: 60b1cbb5d9af6125d011bd7306afec64
VT: 2/51

File: UpdateFlashPlayer_9609e705.exe
MD5: 8caf8b2f7198bc757541a93267447460
VT: 10/52

Posted on: 05/12/2014