Search the Community

A spitting match between developers of the Rig Exploit Kit and one of its resellers resulted in a partial leak of the kit’s source code in a hacker forum. Rig is less than a year old and is spread primarily in malvertising campaigns, pushing Flash, Java and Microsoft Silverlight exploits; some versions also push ransomware. Experts, however, aren’t sure this will give birth to a rash of campaigns centered on Rig. “I do not think this will be really noticeable,” said French exploit kit researcher Kafeine, who found the leak being advertised on a hacker board. He said the main pushers of Rig do no operate on the same forum. “Following this leak, the crooks might get cold feet and try to stay under the radar to elude law enforcement’s attention,” said a report posted yesterday by researchers at Trustwave SpiderLabs. “As a result we’d expect to see less activity. On the other hand, script kiddies may now use this source code to try and deploy their own infection schemes for quick and easy profit.” A U.K. researcher known as MalwareTech said the leaker is likely a Rig Exploit Kit reseller who tried to scam potential buyers by charging prices 40 percent higher than “official” Rig sellers, as well as asking $3,000 for access to a private forum that did not exist, according to screenshots from his website. “It seems like the RIG owner was less than pleased with the reseller’s antics because the next day, in a conversation with another member, the owner declared that he had suspended the reseller for attempting to scam customers, which isn’t surprising given he was requesting that people pay him $3000 for access to an imaginary private forum,” MalwareTech wrote on his website. No honor among thieves. Undaunted, the reseller took to Twitter creating an account that riffed on researchers from Malware Must Die. In a series of tweets, the reseller said he was in possession of Rig source code and a database dump; he also provided a download link. MalwareTech said the password-protected file was deleted after a couple dozen downloads. He said, however, that he confirmed the leak was legitimate with three other sources. The leak, however, is incomplete and it appears the reseller leaked only files he had access to, Trustwave SpiderLabs said. “In addition to parts of the source code, the contents of the leak included a partial export of the server database,” Trustwave said. Its researchers thus had access to infection stats and saw only about 1,200 since the leak. Sursa

As the past has show us, cybercriminals are not the most trustworthy people when it come to holding valuable sources, and it looks like we're about to get another reminder of that, this time with an exploit pack leak. RIG is a popular exploit kit which has been around for about a year and sold on various "underground" forums. On February 3rd 2015 a user claiming to be the "Official HF Sales Rep" posted a sales thread on hackforums (HF), which is unusual as most serious sellers avoid this forum completely. It's likely the decision to allow resellers on this specific board was due to a large amount of users trying to rent out access to their RIG accounts, resulting in lost income for the seller. Hackforums RIG sales thread Although the HF reseller first claimed to be a verified seller, the claims soon escalated into being "more than just a seller", and before long he was registering on private forums claiming to be one of the developers. Sellers with benefits Private forum introduction His introduction into the private forum didn't go too well: First members pointed out that his RIG prices were nearly 40% higher than the official sellers (typical of a re-seller not a developer), then they made fun of him when someone posted screenshots of his website, which was requesting a $3000 payment to gain access to his never-heard-of private forum. Eventually the entire thread turned into people making fun of him, before the administrator banned his account. It seems like the RIG owner was less than pleased with the reseller's antics because the next day, in a conversation with another member, the owner declared that he had suspended the reseller for attempting to scam customers, which isn't surprising given he was requesting that people pay him $3000 for access to an imaginary private forum. Conversation between a HF member and RIG owner Shortly after, the reseller does what any cybercriminal does when his enterprise begins crumbling around him: He sings up for twitter and becomes a security researcher??? I don't even.... The twitter account, which is a pun on MalwareMustDie, claims to be in possession of the RIG source code as well as a recent database dump, and is currently tweeting a download link at various security researchers (not me though, apparently I'm not good enough). The file, which is password protected, was deleted from the filehost after less than 24 downloads, so I am not able to confirm if this is legit or just another scriptkiddie tantrum. A screenshot allegedly showing panel files and sql database dump RIG owner confirms he may have database and older version of exploit kit. I'll post updates when I have more info. Updated 02/12/2015 09:00 (UTC) I've confirmed with 3 people that the leak is in fact legitimate, and a fairly recent version of the pack, though it is possibly some parts may be missing. @kafeine has mentioned that he thinks someone with access to the RIG panel may be stealing traffic. He reports that occasionally the exploit payload appears to be replaced with another (usually cryptowall); which coincides with a lot of claims made by customers who bought RIG through the reseller. a RIG thread pushing 2 different payloads Due to the way in which the RIG exploit pack works (the exploiting is done by a back-end server, so no exploits are contained within the leak), I have decided to upload it here (thanks to @kafeine for files and information). Via RIG Exploit Kit - Source Code Leak | MalwareTech