The infrastructure of the dubious RIG exploit kit has been seriously disrupted by a group of experts and security companies led by RSA. This operation, dubbed “Shadowfall”, gave the researchers the opportunity to learn more about the exploit.
Several independent researchers and employees of Board Analysis, Palo Alto Networks, and Malwarebytes have joined the project and RSA announced the results of the operation on Monday, 5th June.
After the notorious Angler exploit kit disappeared, RIG managed to get to the top in the exploit kit market. It was used to distribute different malware pieces like CryptoMix and Cerber ransomware as well as the SmokeLoader backdoor. RIG relies on several Silverlight, Flash Player, Microsoft Edge and Internet Explorer exploits, which it delivered by injecting malicious iframes into compromised websites.
RIG also used the domain shadowing technique where hackers steal domain owners` credentials and then used them to develop subdomains which point to malicious servers. The researchers were able to find tens of thousands of shadow domains connected to RIG, many of which registered with GoDaddy.
With the cooperation of GoDaddy, many of these domains were taken down in the middle of last month. This caused a significant breakdown to the RIG exploit and mostly to a few of its most resent campaigns – “Decimal IP” and “Seamless”. RSA stated, however, that the impact of the takedown operations is not easy to evaluate mostly due to the limited visibility into the hackers` activity and the huge number of malware campaigns.
The experts who took part it this operation said that RIG was still active but added that it hadn’t been using Flash Player exploits for a couple of days. On Monday, however, they noted that RIG had resumed the use of Flash exploits.
And when it comes to how the crooks managed to steal owner`s credentials and to create shadow domains, RSA stated that it doesn’t seem like the information came from Pony dumps. The Pony Trojan has been widely used in the last couple of years to hijacker millions of accounts.
“In terms of the shadow domains themselves, it is believed that the threat actors waging these campaigns rely upon sophisticated phishing operations to acquire legitimate customer credentials.” – RSA said in a blog post – “In terms of the compromised sites, the cross section of affected domain registrars implies a more opportunistic approach. While it remains unclear what methods may have been employed as a means for harvesting these credentials, community research exists on the usage of IoT botnets to brute force WordPress sites.”