A study conducted by RSA on the RIG exploit kit has not only led to a better understanding of how the exploit kit operates, but resulted in finding and shutting down thousands of shadow domain sources.
While the research confirmed a great deal that was already known about RIG, it did turn up some new and useful information – the highlight being it was able to identify 395 unique subdomains serving RIG landing pages that led to being able to isolate the registrant emails owning the subdomains. This, in turn, led to RSA being able to identify all the related domains and subdomains along with the shadow domains hosted by a major provider.
“As a direct result of these efforts, tens of thousands of active shadow domain resources were removed from RIG, malvertising, and malspam operations,” the report stated.
Other results showed that RIG continues to be a popular EK used to deliver a wide variety of payloads, including Cerber, Locky and Cryptoshield ransomware, among others. It continues to do so using iFrames injected into compromised WordPress, Joomla and Drupal sites, along with malvertising, to drive victims to RIG landing pages that contain the malware.
The research found several active campaigns using RIG, PseudoDarkleech, EITEST, Seamless and Decimal-IP.
The month-long research project took place between February and March and was done in conjunction with GoDaddy and several independent researchers.