The Minerva Labs Research team has recently encountered a resurgence in Rig exploit kit. This infamous exploit kit has been reportedly used by threat actors since 2015 (as reported by Trustwave). Our encounter entailed an unknown Internet Explorer vulnerability (version 11.00.9600.19178) which is exploited in order to execute malicious commands on the target machine.

The command drops a Javascript file to disk, that is then executed by a wscript process. The command line supplied C2 address is contacted in order to download the final payload, which in a similar case posted by BroadAnalysis was Sodinokibi ransomware.


Minerva prevents Rig Exploit Kit with our Living Off the Land protection, hiding key operating system features form attackers:

IOCs:

C2:

http://116[.]202[.]177[.]131/?MjU2ODM2^&bOwWDvmg^&obyvan4=wnzQMvXcLBXQFYPCJPPcTKZEM1HRH0SD2YuYnLG3YpzNZGX_0vHDfF_yrwrcCl6JtcMoL^&KRiLAWVF=why^&OojPmAB=twix^&OwM=why^&PZlbwDcf=bobs^&XaeCCeiPN=pinny^&shufflet4=OBXaQHjjEbWewc1ldoMUVsX962t2hDVyxeeg8TU_kaKMlhGrpSSJLI40F_zzYFJMMgl9w^&QKelWLRtH=street^&sZb=cars^&oaCImbZvB=why^&yfmWexqE=street^&JehFhNJ=why^&vSjmTv=twix^&kXa=community^&naeMjM5NDA5

Hashes:

b948f0114e6cecd076a891f0961cd96441309d210e8ba16dd48014b24690895d

(the javascript file)

If you’ve been the victim of an exploit kit attack, or you’d like to learn more about how to prevent ransomware attacks, please contact us.