Saturday, January 18, 2025
HomeComputer SecurityHackers Using RIG Exploit Kit to Compromise Windows PC for Mining Crypto-Currency

Hackers Using RIG Exploit Kit to Compromise Windows PC for Mining Crypto-Currency

Published on

SIEM as a Service

Follow Us on Google News

A RIG Exploit Kit (EK) propagating sophisticated code injection techniques to mine Monero cryptocurrency from infected Windows PC.

Rig Exploit Kit is one of the powerful exploit kits that actively using in dark web and delivered various payload for many malware and ransomware families such as  GandCrab ransomware and Panda Banker.

Code injection Technique is used to inject malicious code into an application. The code introduced or injected is capable of compromising database integrity and/or compromising privacy website, security and even data correctness.

Attack chain initially started from the compromised website when users visit it which will then redirect them to RIG EK landing page.

Later RIG delivered the malicious loader NSIS (Nullsoft Scriptable Install System) to leverage the code injection technique and inject shellcode into explorer.exe.

Later infected shell code leverage the next level payload and the payload will download the Monero miner and execute it.

RIG Exploit Kit Injection analysis

Intially user visit the compromised page that contains an iframes which leads into the landing page of the RIG and it contains 3 javascript loader each contains differnet technique to deliver the paylaod.

  • Javascript 1 contains a function called “fa” which returns the VBscript that exploits  CVE-2016-0189 which allows it to download the payload.
  • Javascript 2 contains aditional javascript code to download the another exploit CVE-2015-2419  which utilizes a vulnerability in JSON.stringify.
  • Third Javascript similar to the second one and it adds a flash object that exploits CVE-2018-4878.

According to FireEye Analysis, Once all the exploitation will successfully completed  the shellcode invokes a command line to create a JavaScript file which will then download the next level of Paylaod with the filename called u32.tmp.

Apart from the code infection technique, Attackers using maltiple varaity of payload to evade the detection using anti analysis and anti VM techniques.

3 Stages of Payloads

First Stage of execution contain the SmokeLoader payload that contains two components: a DLL, and a data filewhich is dropped by the RIG EK which helps to read and decrypt the data file and redirect into the second level of Payload.

When we compare to the first level of payload, the second level is higly obfucticated and it perfrom the propagation of the code injection and inject the shellcode and PE in to legitimate windows process.

Third stage of the payload will check and confirm to make sure no analysis tool is runnig within the victms computer and the malware then communicates with the malicious URL to download the final payload.

The Final payload is the Monero Miner which is downloaded from the server and installed into the windows system to mine the Monero cryptocurrency.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Hackers Easily Bypass Active Directory Group Policy to Allow Vulnerable NTLMv1 Auth Protocol

Researchers have discovered a critical flaw in Active Directory’s NTLMv1 mitigation strategy, where misconfigured...

AWS Warns of Multiple Vulnerabilities in Amazon WorkSpaces, Amazon AppStream 2.0, & Amazon DCV

Amazon Web Services (AWS) has issued a critical security advisory highlighting vulnerabilities in specific...

FlowerStorm PaaS Platform Attacking Microsoft Users With Fake Login Pages

Rockstar2FA is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms....

New Tool Unveiled to Scan Hacking Content on Telegram

A Russian software developer, aided by the National Technology Initiative, has introduced a groundbreaking...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Is this Website Safe: How to Check Website Safety – 2025

is this website safe? In this digital world, Check a website is safe is...

Firefox 133.0 Released with Multiple Security Updates – What’s New!

Mozilla has officially launched Firefox 133.0, offering enhanced features, significant performance improvements, and critical...

Digital Wallets Bypassed To Allow Purchase With Stolen Cards

Digital wallets enable users to securely store their financial information on smart devices and...