Conquer The Rig Exploit Kit
After the Angler Exploit Kit became less prevalent, the RIG exploit kit quickly took its place to become one of the most “popular” exploit kits in the underground. This blog is a complete analysis of technologies used in the Rig exploit kit.
The Landing Page:
All exploit kits begins when a victim visits a compromised web page. As you can see below, the hacked website returns a gzip format reply. This reply contains a HTML ‘iframe’ which links to a landing page.
The victim’s web browser follows the ‘iframe’ URL without detection.
The function “dfhghkjghj” creates a ‘div’ tag which is generated by function “fghdsdsdfj”.
The new “div” contains a flash object which the victim’s web browser will retrieve. Depending on the victim’s web browser the conditional comment “<!–[if !IE]>–>” is used to route the victim to the appropriate flash payload for his system.
The “FlashVars” is passed as a parameter when the Flash payload gets executed on the victim’s system, and contains partially encrypted shell code. This technology allows the exploit kit writer to change the shell code dynamically without changing the payload.
The Flash file exploits a vulnerability in the victim’s Adobe Flash player plug-in, and then executes the shell code loaded from the landing page.
“FlashVar” is passed to “_loc3_”, then a shell code decryption function is called to extract the second half of the shell code. The first part of the shell code is also decrypted from the Adobe Flash files’ binary data. This part is used to XOR decrypt the second part of ‘FlashVar’. The “_loc2_” has the final shell code which is ready to be executed after the Flash vulnerability is exploited.
CVE-2015-8651 is used to exploit the victim’s Flash installation.
After successfully exploiting the vulnerability, the shell code is executed. After changing the Flash file’s binary, I’m able to extract the shell code.
The Shell Code
To analyze the shell code, we need a debugger tool. There is a very good tool called “shellcode2exe” which allows us to convert the shell code to a Windows executable file.
I used the tool and then loaded the generated executable file into the debugger.
Here we can see why the shell code is structured in two parts. First part is an XOR decryption routine to decrypt the shell code from the FlashVars. Here the key is 0x19.
The shell code loads the library “urlmon.dll”, then calls the function “URLDownloadToFileA” to fetch the final payload, which can be a Trojan program or ransomware.
I dumped the executable out and loaded it into our automatic malware analysis system to get the dropped files.
The Rig exploit kit has a complicated architecture and is actively being developed. The Rig exploit kit we saw few months ago was much weaker than today. So we are sure that more sophisticated attacking is on the way. As exploit kits evolves themselves, you also need a continuously security solution.