2017年10月17日火曜日

Response of Rig Exploit Kit has changed

First

On 15th October, I noticed the change of Rig Exploit Kit. It's a very small change, there will be some people who have not noticed. The resulting impact is limited. However, it has been troublesome for some researchers. I'll introduce this change.

Change of RigEK

First of all, do you know about the nature of RigEK? RigEK uses functions that interfere with several analyzes. Besides obfuscating code, there is a function that controls access. Simply, RigEK will not attack even if you access the same IP address more than once consecutively. If you accessed more than once, you will be redirected to the general website (Strictly there is a grace period of one and a half to two minutes). This makes analysis difficult.

This is the response of the previous RigEK landing page.



Response when accessing for the first time on top. Below is the response when accessing twice with the same IP address.

Looking at the response below, you can see that it's a very characteristic response. It's redirected to the website in Location header with HTTP Status Code 302, but the body containing the attack code still exists. Therefore, by ignoring the Location header, it was possible to analyze RigEK any number of times.

However, response changed for the second time or later two days ago. The new response is as follows.


Instead of HTTP Status Code 302, a string of "not found" has been sent at 200. This is a small change, but it certainly shows that RigEK is changing.

Finally

Such changes will continue to occur. Also note small changes, I will continue to observe RigEK in the future.