RIG Exploit Kit is Still Alive

Delaware, USA ā€“ May 15, 2018 ā€“ Despite the fact that since 2016 the active use of exploit kits is on the wane, attackers continue to leverage them for delivery of malware. Experts from FireEye published a research in which they analyzed recent attacks using RIG to deliver Grobios trojan. The attacks follow a standard pattern: victims visit compromised website, from where they are redirected to RIG landing page that uses SWF to download and run Grobios malware. Trojan leverages several techniques to avoid detection and achieve persistence on the infected system. It runs its own copy that injects malicious code in IEXPLORER.EXE or svchost.exe, then malware saves multiple copies of itself in Temp directory and in subfolders of a legitimate program in Programm files, adds them to autorun or creates scheduled tasks. To hide its copies, the trojan changes their Created/Modified/Accessed dates and removes Zone.Identifier flag. These actions complicate detection and analysis of the malware. Next, it performs an in-depth scan of the system for malware analysis tools and the virtual machine, and only after that, it connects to the command & control server for instructions.

The researchers noted that RIG exploit kit is used to deliver various malware that endangers the security of corporate networks where it is difficult to track timely patching. CyberView helps visualize Patch and Vulnerability Management process in your organization allowing quickly identify vulnerable systems and install critical updates.