Hackers have been phishing for domain credentials and using the logins to gain access to websites and create malicious subdomains – a process called domain shadowing – and using those subdomains as gates that redirect users to sites loaded with the RIG exploit kit.
The RIG exploit kit probes for vulnerabilities in web browsers and exploits flaws to download malware. Those malware downloads usually occur silently without the users’ knowledge. All that is required for infection is an out of date browser or plugin and for the victim to be directed to a website hosting the exploit kit. RIG has primarily been used to download banking Trojans and Cerber ransomware. While use of the exploit kit is nowhere near the level of Angler prior to its demise, the Rig exploit kit is now the leading EK used by cybercriminals and activity has increased sharply in recent months.
Cybercriminals have been generating traffic to the malicious subdomains using malvertising campaigns – malicious adverts sneaked onto third party ad networks. Those ads are then syndicated across a wide range of high traffic websites and redirect visitors to the malicious subdomains. Other techniques used to drive traffic to the sites include malicious Chrome popups and iframes inserted into compromised WordPress, Drupal and Joomla! Websites.
Tens of thousands of subdomains have been created on legitimate websites that have been compromised by hackers. Cybercriminals are understood to have been obtaining login credentials to websites using malware.
The subdomains were mostly created on websites hosted by GoDaddy. The domain registrar has been working with RSA Security and independent security researchers to identify the compromised websites and take down the subdomains. In total, around 40,000 subdomains were taken down in May.
While this take down is certainly good news, it is unclear how much of an effect it will have on Rig EK operations as little is known about the RIG infrastructure and the total number of websites that have had malicious subdomains added. However, RSA Security says these takedowns have resulted in “a significant loss of capabilities to RIG operations”. RSA and GoDaddy are working to prevent cybercriminals from using domain shadowing and are monitoring for new subdomains that are created. It is unclear if sites purchased through other domain registrars have been targeted in a similar way.
Domain shadowing is a problem because content filters typically have problems identifying malicious subdomains on a genuine website. Since the subdomains only remain active for around 24 hours before being shut down, cybercriminals can avoid domain blacklisting.
However, content filters can prevent users from visiting known malicious websites and they offer protection against webpages hosting exploit kits. They can also be configured to block the downloading of specific file types.
Organizations care also strongly advised to ensure browsers and plugins are kept up to date, especially Java, Silverlight and Adobe Flash plugins. Malware downloaded by the RIG exploit kit most commonly leverages the CVE-2015-8651 vulnerability, although other common exploits include CVE-2016-0189, CVE-2015-2419, and CVE-2014-6332