RIG exploit kit suffered a setback as researchers and security firms dug into the details behind the ongoing threat.
RSA unveiled the results of the operation called “Shadowfall.” Several independent researchers and employees of Malwarebytes, Palo Alto Networks and Broad Analysis worked together on the project.
Following the disappearance of Angler, RIG was the leader in the exploit kit market. It was distributing malware, which included Cerber and CryptoMix ransomware, and the SmokeLoader backdoor. RIG has leveraged several Flash Player, Silverlight, Internet Explorer and Microsoft Edge exploits, which it mainly delivers by injecting malicious iframes into compromised websites.
One important component of RIG attacks is domain shadowing. This is when attackers steal credentials from domain owners and use them to create subdomains that point to malicious servers.
In the case of RIG, researchers identified tens of thousands of shadow domains. An analysis of whois data for these shadow domains showed that many of them had been registered with GoDaddy.
With the aid of GoDaddy, tens of thousands of malicious domains were removed in mid-May, striking a significant blow to RIG, particularly a couple of recent campaigns dubbed “Seamless” and “Decimal IP.”
RSA did say, however, assessing the impact of takedown operations is not an easy task, especially in this case due to the numerous malware campaigns and limited visibility into the threat actor’s activity.
The researchers involved in the operation reported that the exploit kit continued to be active, but noted that it had stopped using Flash Player exploits for a few days. Experts noticed Monday RIG had resumed the use of Flash exploits.
As for how attackers managed to hijack the accounts used to create shadow domains, RSA has determined that the compromised credentials don’t appear to come from Pony dumps – the Pony Trojan has been used in the past years to steal millions of account credentials.