Exploit kit activeness has been declining since the latter one-half of 2016, only nosotros produce nonetheless periodically respect meaning developments inwards this infinite in addition to the RIG EK seems to buck the trend. It’s been involved inwards an ongoing activeness involving a broad attain of crimeware payloads; in addition to the latest displace saw RIG dropping the Grobios malware, which is tailored to hold upwards a actually stealthy backdoor in addition to takes non bad pains to avoid detection in addition to evade virtual in addition to sandbox environments.
The displace was laid about seen on March 10 past times FireEye Labs, redirecting victims to a compromised domain, latorre[.]com[.]au, amongst a malicious iframe injected into it. That iframe, in turn, loads a malvertisement domain, which communicates over SSL in addition to leads to the RIG EK landing page. RIG thence loads a malicious Flash file which when opened drops the Grobios trojan.
The Trojan’s chief hallmark is an impressive arsenal of evasion in addition to anti-sandbox techniques, according to FireEye researchers. Researchers in addition to weblog postal service co-authors Irshad Muhammad, Shahzad Ahmed, Hassan Faizan, Zain Gardezi, written report that the developers clearly tried to impede whatever attempts to dissect the malware, every bit it was well-protected amongst multiple anti-debugging in addition to anti-analysis in addition to anti-VM techniques to shroud its behavior in addition to C2 traffic.
“The chief purpose of Grobios malware is to aid aggressor constitute a potent foothold inwards the organisation past times employing diverse kinds of evasions in addition to anti-VM techniques,” Ali Islam, manager of FireEye, told Threatpost. “Once a potent foothold is established, an aggressor tin drib a payload of his/her choice, which tin hold upwards anything from an information stealer to ransomware, etc.”
In an travail to evade static detection, the studied Grobios sample was packed amongst the Windows executables compression tool PECompact. "The unpacked sample has no role entries inwards the import table," the weblog postal service states. "It uses API hashing to obfuscate the names of API functions it calls in addition to parses the PE header of the DLL files to stand upwards for the get upwards of a role to its hash. The malware also uses stack strings."
The displace was laid about seen on March 10 past times FireEye Labs, redirecting victims to a compromised domain, latorre[.]com[.]au, amongst a malicious iframe injected into it. That iframe, in turn, loads a malvertisement domain, which communicates over SSL in addition to leads to the RIG EK landing page. RIG thence loads a malicious Flash file which when opened drops the Grobios trojan.
The Trojan’s chief hallmark is an impressive arsenal of evasion in addition to anti-sandbox techniques, according to FireEye researchers. Researchers in addition to weblog postal service co-authors Irshad Muhammad, Shahzad Ahmed, Hassan Faizan, Zain Gardezi, written report that the developers clearly tried to impede whatever attempts to dissect the malware, every bit it was well-protected amongst multiple anti-debugging in addition to anti-analysis in addition to anti-VM techniques to shroud its behavior in addition to C2 traffic.
“The chief purpose of Grobios malware is to aid aggressor constitute a potent foothold inwards the organisation past times employing diverse kinds of evasions in addition to anti-VM techniques,” Ali Islam, manager of FireEye, told Threatpost. “Once a potent foothold is established, an aggressor tin drib a payload of his/her choice, which tin hold upwards anything from an information stealer to ransomware, etc.”
In an travail to evade static detection, the studied Grobios sample was packed amongst the Windows executables compression tool PECompact. "The unpacked sample has no role entries inwards the import table," the weblog postal service states. "It uses API hashing to obfuscate the names of API functions it calls in addition to parses the PE header of the DLL files to stand upwards for the get upwards of a role to its hash. The malware also uses stack strings."