RIG Exploit Kit – Source Code Leak

As the past has show us, cybercriminals are not the most trustworthy people when it come to holding valuable sources, and it looks like we’re about to get another reminder of that, this time with an exploit pack leak.

RIG is a popular exploit kit which has been around for about a year and sold on various “underground” forums. On February 3rd 2015 a user claiming to be the “Official HF Sales Rep” posted a sales thread on hackforums (HF), which is unusual as most serious sellers avoid this forum completely. It’s likely the decision to allow resellers on this specific board was due to a large amount of users trying to rent out access to their RIG accounts, resulting in lost income for the seller.

Hackforums RIG sales thread

Although the HF reseller first claimed to be a verified seller, the claims soon escalated into being “more than just a seller”, and before long he was registering on private forums claiming to be one of the developers.

Sellers with benefits
Private forum introduction

His introduction into the private forum didn’t go too well: First members pointed out that his RIG prices were nearly 40% higher than the official sellers (typical of a re-seller not a developer), then they made fun of him when someone posted screenshots of his website, which was requesting a $3000 payment to gain access to his never-heard-of private forum. Eventually the entire thread turned into people making fun of him, before the administrator banned his account.

It seems like the RIG owner was less than pleased with the reseller’s antics because the next day, in a conversation with another member, the owner declared that he had suspended the reseller for attempting to scam customers, which isn’t surprising given he was requesting that people pay him $3000 for access to an imaginary private forum.

Conversation between a HF member and RIG owner

Shortly after, the reseller does what any cybercriminal does when his enterprise begins crumbling around him: He signs up for twitter and becomes a security researcher???

I don’t even….

The twitter account, which is a pun on MalwareMustDie, claims to be in possession of the RIG source code as well as a recent database dump, and is currently tweeting a download link at various security researchers (not me though, apparently I’m not good enough). The file, which is password protected, was deleted from the filehost after less than 24 downloads, so I am not able to confirm if this is legit or just another scriptkiddie tantrum.

A screenshot allegedly showing panel files and sql database dump

RIG owner confirms he may have database and older version of exploit kit.

I’ll post updates when I have more info.

Updated 02/12/2015 09:00 (UTC)

I’ve confirmed with 3 people that the leak is in fact legitimate, and a fairly recent version of the pack.

@kafeine has mentioned that he thinks someone with access to the RIG panel may be stealing traffic. He reports that occasionally the exploit payload appears to be replaced with another (usually cryptowall); which coincides with a lot of claims made by customers who bought RIG through the reseller.

a RIG thread pushing 2 different payloads
Due to the way in which the RIG exploit pack works (the exploiting is done by a back-end server, so no exploits are contained within the leak), I have decided to upload it here (thanks to @kafeine for files and information).