Industry Trends

A Quick Look at a Recent RIG Exploit Kit Sample

By Tim Lau | September 30, 2015

RIG Exploit Kit was upgraded to v3.0 a while back. While RIG EK was never as active as other exploit kits such as Angler or Nuclear, it is one of the more 'stable' EKs in terms of its near constant presence on the Internet.

We will talk about a recent RIG EK sample. Here is the landing page information captured by our automated system in FortiGuard Labs.


Exploit Kit



Attack ID


Referrer chain and host information redacted

As always, the analysis starts at the exploit page. At the end of the page (which we have not cited explicitly due to security concerns) is this piece of code:

From the way the code is jammed into the page (such as the 2 </body> tags), it is probable that this code is not part of the original page.

The embedded flash file returns a SWF Flash file:

The Flash file contains only the following ActionScript 3 package:

The iframe URL contains a refresh link to a landing page that is divided into 4 obfuscated sections. The sections are obfuscated with the same style, but with different protected data. 

The first section decodes to JavaScript that detects the presence of virtual machine and antivirus software: 

The second part decodes to a base64 packed exploit: 

Which is the CVE-2014-6332 VBScript exploit in a slightly modified and encrypted form: 

The third section embeds a Flash file that contains an exploit for CVE-2015-5119 (the other link is the Cryptowall executable payload): 

The forth and last section contains another IE exploit, CVE-2013-2551:

The payload is the ransomware CryptoWall. 

All in all, this is not a particularly hard sample to figure out.