Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

RIG Exploit Kit Source Code Leak - The End or Just the Beginning of RIG?

Recently, source code for the RIG exploit kit was leaked. An independent security researcher posted the news on his blog. An individual claiming to be one of the RIG exploit kit developers tried to sell the exploit kit service in several underground forums. Apparently, this person operated without the main developer's consent who quickly condemned these actions in chats and suspended the leaker's accounts.

In response, the individual leaked the source code for RIG "to help the security community." It is still unclear whether these were his true intentions, since according to our research the leaker was simply a RIG reseller that acted on his own and pulled all the files accessible to him. Below we discuss some insight we gleaned from taking a look at the recently leaked information.

In addition to parts of the source code, the contents of the leak included a partial export of the server database. This provided researchers with a quick peak into infections statistics for some campaigns. According to our analysis, this limited export accounts for only about 1,200 infections caused by the RIG exploit kit. According to our insight the person responsible for the leak could only access partial data.

Here we'd like to share a broader view of the infection infrastructure. The data we gathered shows that RIG's infrastructure consists of several instances of both management and infection servers. The amount of overall infections from all instances gathered stands at about 418,000 infections and a scary exploitation rate of 33%!

Here you'll see aggregated statistics from only a SINGLE instance:

RIG Statistics page 1

Notice that the Flash exploit has successfully infected more than 170,000 victims. This perfectly aligns with a 2014 trend where we saw Flash exploits dominating the market.

Let's take a look at the stats for a single campaign. The following campaign manager is one of a few "big fishes" relying on this RIG instance. This specific person (or a group more likely) apparently had so much traffic from compromised websites and malvertising that to the traffic was split to flow into 2 different batches (Flow 575 and Flow 576):

RIG Flow 575 Statistics 2

RIG Flow 576 Statistics 3

In total this campaign resulted in 383,227 successful infections!

The payload of this single campaign (at the time of our tests) was detected only by 4 AV vendors on VirusTotal, which once again shows how successful exploit kits can be at evading detection and infecting unsuspecting users.

RIG payload detection 4


Following this leak, the crooks might get cold feet and try to stay under the radar to elude law enforcement's attention. As a result we'd expect to see less activity. On the other hand, script kiddies may now use this source code to try and deploy their own infection schemes for quick and easy profit. One thing, though, is certain: the exploit kit scene is about to see another shift in power as the demand for these kinds of services will always be on the rise.

All Trustwave SWG and Trustwave UTM customers are protected against RIG Exploit Kit without the need for any further updates.