Thursday11 August 2022

Trustwave shows off an impressive copromise of RIG's admin servers at Black Hat 2015

Reading time is around minutes.

In addition to seeing more than a few products and ideas during Black Hat and DEF CON we also had the chance to see something really cool from the team at Trustwave. This was not a product, but a chance to see the back end of the command and control servers for a new and improved version of the RIG exploit kit. To say that what they showed was impressive is an understatement.

If you are not familiar with RIG we should give you are little background. RIG is similar in nature to Black Hole and other exploit kits that allow people to pay to use their bot nets. When you buy time on the bot net for a campaign you get to use a certain number of systems to push out a payload of your choosing. Where RIG seems to be a little different is that during its second incarnation they actually supported a reseller model like other SAAS companies. Trustwave says that during this time a reseller that might have been a little annoyed and he released some code related to the operation of the site.

Researchers at Trustwave take this information and begin working on a way to get into two identified admin servers that are listed. In the end they have been able to completely compromise the servers in question and were able to show me an impressive level of access into the servers. To kick off Trustwave explained that the latest version of RIG has expanded to include roughly 1.25 million infected systems and that they are increasing at a rate of around 26,000 infected systems per day. They also currently have around 500 customers and charge $500 per month for access to their systems. Roughly 70% of the traffic running to these servers belong to one customer.

Trustwave also identified two administrative servers that control all of the infected systems. These systems are responsible for monitoring the campaigns and the access level to the customers that connect. The system hosts the exploit kit, but individual customers have to push up their own payloads. In RIG 2.0 the payloads were executables in raw format. It was this that researchers believe allowed the collection and leak of source code related to RIG. In the latest version payloads are stored in binary blobs in a database and served from there. This prevents the possibility of allowing a hooked file to infect the system as happened in v.2.0.

Now things get sort of interesting from here. It seems that the largest customer is pushing out a spambot for use in malvertising (which is 90% of the traffic anyway). This malvertising campaign also seems to be comprised of systems that are already infected. It means that someone is could be reselling already known infected systems to RIG’s largest customer. It is not clear why they are doing this, but Trustwave is certain that it is happening. One reason might be that when you are talking about ad fraud it does not matter if the target systems are already infected, it could even make adding in the new payloads simpler.

One the back end Trustwave said that the admin servers have undergone several large changes in the new version of RIG. They have been moved to run inside Cloudflare due to repeated DDoS attacks from rival gangs. RIG’s owners have also moved away from static URLs to dynamic. This allows them to continuously check them to see if they have been black listed or blocked. On the exploit side there is strong evidence that they are using an anonymous virus catalog (Sacn4You) to check that their exploits are not listed. These scanning services do not report back to AV companies so everything is all good there. If one does show up they quickly mutate the package to keep working. RIGs exploits and payloads are encrypted to by-pass malware scanners and other security tools. They update the encryption of the exploit kit and other tools to keep things open. Turstwave showed us the back end on one of the servers where we saw the common exploits as well as the live encryption keys being used in active attacks. It was impressive to see the level of sophistication in this tool kit as well as to find out that RIG’s owners appear to be hiring engineers to reverse engineer patches and updates so that their exploits are still relevant. This means they understand the patch and update cycles and are using them to keep ahead of the game.

It seems that this is the new trend in Exploit As A Service systems. The level of sophistication is growing as the potential for revenue grows. It is very hard to stop as many of the countries where these are run from do not care about the activities as long as they are not targeting their own citizens. Trustwave was not able to tell us anything about the ongoing investigation into RIG and its owners and customers, but we do know that they are working closely with the police on this. We hope they do stop them, but in the end even if RIG goes away we are very likely to see more systems like RIG pop up to take its place.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.