Rig Exploit Kit Delivering Ransomware via Adobe Flash Exploit (CVE-2018-4878)


Exploit kits are very efficient tools used in the cybercrime underground. These frameworks are packed with a number of exploits and mechanisms to detect vulnerabilities in systems/applications and serve matching exploits.  For malicious actors, it is very convenient to purchase, rent or even steal exploit frameworks from their creators (usually higher skilled criminals) and put them to work and obtain profits from malicious activity. In other instances malicious actors can adapt code from open source frameworks and turn them into exploit kits (I.E blackhole vs Beef).

Exploit kits are versatile as they target different platforms (Windows, Linux) or devices (Desktops, Phones) and they can help criminals build up botnets pretty quick. Once the botnet is built, there are plenty of post exploitation payloads and additional attack tools that can be installed at victims for additional malicious activity such as Spam, DDoS, crypto mining, etc…

These exploit kits have evolved into many variants some of them more popular than others, one of the current popular ones is Rig Exploit kit (RigEK). This particular exploit kit has been observed to adapt and serve many different payloads in the recent years. A new campaign has been observed by security researcher Nao_Sec. In this campaign RigEK was serving GandCrab ransomware, rendering targeted systems unusable unless paying ransom in the form of DASH or BTC.


Figure shows GandCrab ransom demand message (From Nao_Sec Blog)

Ransomware payloads have been proven to be effective and are currently one of the most widespread attack efforts. To the victim it is usually cheaper to pay ransom instead of trying to decrypt the system. The use of cryptocurrency is also preferred for ransom payments as they provide a level of anonymity and obfuscation that enables these type of malicious activities.

Exploit kits work as quick hit approaches, but tend to have limited duration since once they are discovered, takedowns and prosecution may follow. They posses several obfuscation mechanisms that allow them to target specific populations such as countries, languages, range of IPs, specific applications, etc., and by doing so they avert detection and become more effective focusing on targeted vulnerable systems/applications/populations. During the writing of the threat advisory one of these mechanisms was observed when trying to reach exploit kit landing page.


Figure Shows RigEK customized message

Malicious actors know they are being observed and their tools are constantly probed by security companies and white hat researchers in order to publish information that allows effective defenses against these exploit kits. When these kits are “burned” they cease to be effective, making some of these campaigns short lived and forcing them to move on to other hosts, regions or simply stop. Observed malicious server was cleaned few hours after the writing of threat advisory and this blog, as the following message shown below.

For full details of exploit and payloads of this campaign please view the Threat Advisory here.



JASK is modernizing security operations to reduce organizational risk and improve human efficiency. Through technology consolidation, enhanced AI and machine learning, the JASK Autonomous Security Operations Center (ASOC) platform automates the correlation and analysis of threat alerts, helping SOC analysts focus on high-priority threats, streamline investigations and deliver faster response times.


Share on