Similar to Terror EK, the RIG EK gained a lot of footing in the EK market after the downfall of the Angler, Neutrino, and Nuclear exploit kits.
However, in the recent Shadowfall operation, researchers coordinated to take down much of the infrastructure behind RIG.
RIG uses domain shadowing, a technique involving accessing compromised hosting accounts to create hidden subdomains on legitimate websites. Researchers believe that most of these accounts were accessed by phishing login credentials from users of the GoDaddy hosting service.
During the takedown operation, researchers saw upwards of 450 malicious subdomains being created every day, which shows the rapid rate at which the infrastructure behind these campaigns shifts to avoid detection.
Malicious subdomains would contain a hidden JavaScript element to redirect victims through multiple domains until they landed on "gate" servers that filtered out victims based on their browser, operating system, and geographical locations. Eligible victims are then redirected to "landing pages" where the exploit itself (usually targeting Java and Flash) actually runs.
Once this step is complete, the exploit kit will download malware such as Trojans and ransomware onto the victim's computer for execution.
Though this operation was successful in removing tens of thousands of shadow domains, it remains to be seen if RIG will still maintain its popularity.
Enabling TSCritical and Drive By targets in policies for ThreatSTOP DNS and IP Firewall Services, protects against exploit kits like the RIG EK. If you do not have a ThreatSTOP account,
If you do have a ThreatSTOP account, instructions to add targets to DNS or IP Firewall policies are available on the ThreatSTOP Documentation Hub, or contact our