Analyzing Rig Exploit Kit
FirstWhen I began writing this article, I didn't know that Talos is writing detailed articles about RigEK. I read it after I finished writing this article, but it was a very nice and detailed analysis report. If you want to do a detailed analysis on RigEK, I recommend you refer to that article.
This article is a memo to keep information that is somewhat concisely summarized about RigEK for me in the future who will write a college graduation thesis after a few months ;)
Step 0There is a pcap that I captured by myself, but pcap that Brad organized is more beautiful than that, so I will use it. I appreciate Brad every day. Thank you for writing about the Drive-by Download attack and Exploit Kit.
Download pcap from Malware-traffic-analysis.
Step 1Kindly enough, zip contains html of Landing Page, but let's investigate in order this time.
First, I look at the end of html obtained when accessing the Compromised site, then a script is injected that tells it is EITest at first sight.
With this script tag "side[.]chobaniandyr[.]com" is read in iframe.
Step 2Let's see the Landing page of the loaded RigEK. You will see obfuscated code that is very verbose and difficult for humans to read.
It is divided into three below.
Step 3The obfuscation logic of Part 1~3 is common, it is very simple. Here I show the procedure to cancel obfuscation only for Part 3, which has the smallest code amount. In the same way Part 1 and Part 2 can also cancel obfuscation.
First of all, a string containing a lot of unfamiliar symbols appears, but it is split with a character string that is not familiar. By doing the following, it will become visually easy to understand.
I could decipher the obfuscation of the first step. Let's decipher the following obfuscation.
Step 4Obfuscation at the second stage is easy. You can see at a glance by looking at the code. It is only obfuscated by Base64. The result of decoding the base64 encoded character string is as follows.
Part1There is a great article below about this.
Part2There is a great article below about this.
Part3I am ignorant about swf, so I omit it.
FinallyIn this way, RigEK sends malware to users with a bit of obfuscation and multiple exploit codes. Perhaps after a few days or weeks these contents will change with RigEK updates. If I could observe it, I would write another article again.
Have a good analysis day😉