RIG Exploit Kit – Source Code Leak

As the past has show us, cybercriminals are not the most trustworthy people when it come to holding valuable sources, and it looks like we’re about to get another reminder of that, this time with an exploit pack leak.

RIG is a popular exploit kit which has been around for about a year and sold on various “underground” forums. On February 3rd 2015 a user claiming to be the “Official HF Sales Rep” posted a sales thread on hackforums (HF), which is unusual as most serious sellers avoid this forum completely. It’s likely the decision to allow resellers on this specific board was due to a large amount of users trying to rent out access to their RIG accounts, resulting in lost income for the seller.

Hackforums RIG sales thread

Although the HF reseller first claimed to be a verified seller, the claims soon escalated into being “more than just a seller”, and before long he was registering on private forums claiming to be one of the developers.

Sellers with benefits
Private forum introduction

His introduction into the private forum didn’t go too well: First members pointed out that his RIG prices were nearly 40% higher than the official sellers (typical of a re-seller not a developer), then they made fun of him when someone posted screenshots of his website, which was requesting a $3000 payment to gain access to his never-heard-of private forum. Eventually the entire thread turned into people making fun of him, before the administrator banned his account.

It seems like the RIG owner was less than pleased with the reseller’s antics because the next day, in a conversation with another member, the owner declared that he had suspended the reseller for attempting to scam customers, which isn’t surprising given he was requesting that people pay him $3000 for access to an imaginary private forum.

Conversation between a HF member and RIG owner

Shortly after, the reseller does what any cybercriminal does when his enterprise begins crumbling around him: He signs up for twitter and becomes a security researcher???

I don’t even….

The twitter account, which is a pun on MalwareMustDie, claims to be in possession of the RIG source code as well as a recent database dump, and is currently tweeting a download link at various security researchers (not me though, apparently I’m not good enough). The file, which is password protected, was deleted from the filehost after less than 24 downloads, so I am not able to confirm if this is legit or just another scriptkiddie tantrum.

A screenshot allegedly showing panel files and sql database dump
RIG owner confirms he may have database and older version of exploit kit.

I’ll post updates when I have more info.

Updated 02/12/2015 09:00 (UTC)

I’ve confirmed with 3 people that the leak is in fact legitimate, and a fairly recent version of the pack.

@kafeine has mentioned that he thinks someone with access to the RIG panel may be stealing traffic. He reports that occasionally the exploit payload appears to be replaced with another (usually cryptowall); which coincides with a lot of claims made by customers who bought RIG through the reseller.

a RIG thread pushing 2 different payloads
Due to the way in which the RIG exploit pack works (the exploiting is done by a back-end server, so no exploits are contained within the leak), I have decided to upload it here (thanks to @kafeine for files and information).
Darkode Returns Following International Raids

When I was contacted asking for a comment about the darkode raid, I’d said that the main administrator was not arrested and that’d I’d be surprised if it wasn’t back within a week; well It’s been a little more than a week (I’ll put on my surprised face), but as …

FBI Cybercrime Crackdown – Blackshades

It would seem the FBI is cracking down on cybercrime (well script-kiddies at least), with a bunch of international raids carried out in the past few days and more said to come. As of today it seems that the raids are only targeting users of “blackshades” a popular remote administration …

Infamous Skynet Botnet Author Allegedly Arrested

On the 4th of December the German Federal Criminal Police Office (BKA) issued a press release stating they had arrested two suspects for computer crimes, with the support of GSG 9 (A German special operations unit). The release detailed that the two suspect has reportedly modified, distributed and used existing …