First off apologies for the lack of update. I have been following a few Rig EK campaigns lately but have not really seen anything new in terms of payloads. I have also not done the usual picture, rather a small version (with one mistake in..) I’ve been very busy lately with moving career and juggling life in general.
There has been a few Rig EK changes which @Nao_sec has reported on. Things like the RC4 key changing. I’ll dig into these myself at some point.
None the less if you are looking for Rig EK hopefully this blog post may help you find a source. These three campaigns are good sources for Rig EK so happy hunting!
- A few articles on Rig exploit kit and it’s evolution:
- Oldish article regarding Chthonic banking trojan:
- Article on Bunitu Trojan:
- Article on Dreambot:
(in password protected zip: (infected))
- 28-July-2017-Rig-Multi-PCAP -> Pcap of traffic
- 28-July-2017-Rig-Multi-CSV-> CSV of the traffic for IOC’s
- 28-July-2017-Rig-BunituChthonicDreambot -> Dreambot, Chthonic and Bunitu
Details of infection chain:
(click to enlarge!)
There are three campaigns currently that are easy sources of Rig EK.
Fobos Campaign by “official” name but I call it the “Small gate” on account that the iframe always contains the “<small>” tag. These are often decoy websites with a casino or gaming theme. There is iframe either to a domain on the same IP or another IP that belongs to the threat actor. On that page there is an iframe to Rig EK. Currently it drops Bunitu proxy trojan.