FirstAbout 1 month ago I wrote an article "Analyzing Rig Exploit Kit vol.1" but I observed something different from the payload I introduced at that time, so I will introduce about it.
Step 0About the behavior of RigEK, please read the previous article first, since it is common to Step 4, I will skip this time. In the last time I introduced the one using vulnerability of CVE-2016-0189, CVE-2015-2419, swf (I don't have knowledge of swf, so I omitted it this time).
Analyzing Rig Exploit Kit vol.1
Step 1As before, as you read the obfuscated RigEK code, 3 payloads will appear.The first one uses the same CVE-2016-0189 as the previous one, the second one as well It is one using swf, and the payload to be introduced this time.It is the following code immediately after canceling obfuscation.
Step 2The code is VCScript, just a bit of it is similar to CVE-2016-0189, but let's read the code in order.
About the function sdefgfss(), which is written at the beginning, there are strange binaries that are not common, but the one that is rewritten for clarity is the following code.
In VBScript "&" is used for string concatenation, if you have studied about Drive-by Download or Exploit Kit so far, it will be a familiar code.This function is "o32.tmp" which is a function that is executing. The URL drops malware with x-msdownload from RigEK, and key is used to decode the dropped malware with RC4.
Step 3Next, let's look at the function periphery called Begin(). First They decide from the UserAgent whether the user is 32bit or 64bit. This attack target seems to be a 32bit user, from which meaningless processing Continuing, these are the payload of CVE-2014-6332. Please check the following article for details.
CVE-2014-6332 is a vulnerability that is used in many EKs, which was previously incorporated in RigEK, which means that we observed it this time.
FinallyRig just changed the URL parameter the other day, the payload may also be updated, I will write an article if I observe it.
URL parameter of #RigEK changed 2 days ago. The new parameters are "q", "oq", "ct", "basket", "tuesday", "fisher".— nao_sec (@nao_sec) 2017年5月7日
Have a good analysis day😉