RIG exploit kit exploit source code leaked to network
The source code for the RIG exploit kit exploit kit is online. As in the case of other similar leaks of the source code of malicious programs, they were put up for sale in one of the underground hacker forums, after which they became publicly available. Exploit kits are special malicious tools that are used to automatically install malware on users' computers through browser exploits or plug-ins for them.
Fig. RIG EK source tree.
')
Actually, the “exploit kit” itself is a special control panel in php, which organizes the management system of existing exploits, the statistics of their use and provides the hosting of malicious programs that will be downloaded to the user's computer and installed there. Its stated features include the normal functioning (infection) of both 32-bit and 64-bit Windows, the User Account Control (UAC) bypass in exploits, the domains used by exploits may change, depending on their detection by AV scanners.
Version 2.0 has the following exploits in its arsenal:
Fig. The RIG EK function from the \ www \ manage \ p_exploits.php file, which is responsible for capturing exploit usage statistics.
The abundant presence of comments in the Russian language in the source texts unambiguously hints at the origin of RIG EK.
RIG EK source leakage may lead to its use by other attackers, as well as the emergence of new versions of it with the adaptation to the delivery of malware through more modern exploits. As a rule, attack type drive by download are organized by attackers with the involvement of one or another set of exploits that provide secretive installation of malware.
Fig. RIG EK source tree.
')
Actually, the “exploit kit” itself is a special control panel in php, which organizes the management system of existing exploits, the statistics of their use and provides the hosting of malicious programs that will be downloaded to the user's computer and installed there. Its stated features include the normal functioning (infection) of both 32-bit and 64-bit Windows, the User Account Control (UAC) bypass in exploits, the domains used by exploits may change, depending on their detection by AV scanners.
Version 2.0 has the following exploits in its arsenal:
- CVE-2012-0507 (Java)
- CVE-2013-0074 (Silverlight)
- CVE-2013-2465 (Java)
- CVE-2013-2551 (Internet Explorer 7-8-9)
- CVE-2013-0322 (Internet Explorer 10)
- CVE-2014-0497 (Flash Player)
- CVE-2014-0311 (Flash Player)
Fig. The RIG EK function from the \ www \ manage \ p_exploits.php file, which is responsible for capturing exploit usage statistics.
The abundant presence of comments in the Russian language in the source texts unambiguously hints at the origin of RIG EK.
RIG EK source leakage may lead to its use by other attackers, as well as the emergence of new versions of it with the adaptation to the delivery of malware through more modern exploits. As a rule, attack type drive by download are organized by attackers with the involvement of one or another set of exploits that provide secretive installation of malware.
Source: https://habr.com/ru/post/250571/
All Articles