Currently, the RIG exploit kit (EK) is among the most popular crime kits infecting systems worldwide. A while ago, the threat was observed in a campaign which potentially impacted millions of users, exposing them to the SmokeLoader (aka Dofoil) malware.
After the Angler EK disappeared, some other threats in the segment are trying to fill the void. One of these is RIG, although it appears that the Neutrino EK have taken the reign for the time being.
Recently, the Forcepoint researchers have observed a RIG campaign which has targeted the users of Sprashivai[.]ru, a Russian Q&A and social networking website. The popular website has an estimated 20 million visitors monthly, so it is no wonder that RIG operators decided to attack it.
During the past two years, many high-profile websites were targeted by EKs via malvertising or other techniques, trying to expose as many users as possible to the malware they were carrying. In this instance, the website was compromised by an actor attempting to redirect users to RIG EK via an injected iFrame which loads the RIG EK loading page.
Just like other exploit kits, RIG tries to leverage outdated, vulnerable software on targeted machines, in this case browser components such as the Adobe Flash Player plugin. If it finds an exploitable vulnerability, RIG would drop the SmokeLoader malware and then execute it. This entire process is performed in the background, without alerting the user and without requiring interaction, as part of an infection technique called drive-by-download.
Nicholas Griffin from Forcepoint claims that RIG was attempting to exploit the CVE-2015-8651 vulnerability in Flash Player, which Adobe patched in December last year, via an emergency patch. Obviously, the Russian website has been compromised at least on June 23, and it kept on redirecting users to the exploit kit on June 29, although the website was notified on the issue on June 27.
The SmokeLoader backdoor, which was previously associated with the Retefe banking Trojan, is decrypted and it’s executed on compromised machines after the RIG EK would drop a Nullsoft Installer System (NSIS) executable.
The distribution method of the threat makes it difficult for anti-virus solutions to detect the attack, due to the fact that the NSIS files are legitimate and the scripting ability makes them extremely versatile.
SmokeLoader attempts to connect to its command and control server while also generating a large number of fake requests to legitimate websites. The malware was created to download plug-ins which can perform various nefarious operations on the infected computers, ranging from credential stealers, click fraud components, and additional Trojan downloaders.