A RIG Exploit Kit (EK) propagating sophisticated code injection techniques to mine Monero cryptocurrency from infected Windows PC.
Rig Exploit Kit is one of the powerful exploit kits that actively using in dark web and delivered various payload for many malware and ransomware families such as GandCrab ransomware and Panda Banker.
Code injection Technique is used to inject malicious code into an application. The code introduced or injected is capable of compromising database integrity and/or compromising privacy website, security and even data correctness.
Attack chain initially started from the compromised website when users visit it which will then redirect them to RIG EK landing page.
Later RIG delivered the malicious loader NSIS (Nullsoft Scriptable Install System) to leverage the code injection technique and inject shellcode into explorer.exe.
Later infected shell code leverage the next level payload and the payload will download the Monero miner and execute it.
Intially user visit the compromised page that contains an iframes which leads into the landing page of the RIG and it contains 3 javascript loader each contains differnet technique to deliver the paylaod.
According to FireEye Analysis, Once all the exploitation will successfully completed the shellcode invokes a command line to create a JavaScript file which will then download the next level of Paylaod with the filename called u32.tmp.
Apart from the code infection technique, Attackers using maltiple varaity of payload to evade the detection using anti analysis and anti VM techniques.
First Stage of execution contain the SmokeLoader payload that contains two components: a DLL, and a data filewhich is dropped by the RIG EK which helps to read and decrypt the data file and redirect into the second level of Payload.
When we compare to the first level of payload, the second level is higly obfucticated and it perfrom the propagation of the code injection and inject the shellcode and PE in to legitimate windows process.
Third stage of the payload will check and confirm to make sure no analysis tool is runnig within the victms computer and the malware then communicates with the malicious URL to download the final payload.
The Final payload is the Monero Miner which is downloaded from the server and installed into the windows system to mine the Monero cryptocurrency.
Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…
Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…
The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…
A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…
Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…
A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…