RIG developer tried to sell RIG services on multiple forums

Feb 13, 2015 16:06 GMT  ·  By

A hacker claiming to have worked on developing RIG exploit kit, dissatisfied with not getting paid for the updates created for the malicious utility, decided to leak the source code of the attack tool.

Initially, the hacker attempted to sell services for RIG on HackForums, a location considered to be visited by script kiddies.

Hacker's selling offer incompatible with the blackhat market

Then he registered to private underground forums where he was quickly banned, but not before becoming the target of ridicule and mockery, and being labeled as a scammer trying to rip off the clientele of the blackhat community for trying to sell the RIG service at a higher price than generally accepted.

With this door slammed into his face, the disgruntled hacker uploaded the source code and a database to an online sharing service and set up a Twitter account, where he contacted different security researchers and provided the link to RIG.

UK-based malware researcher MalwareTech said in a blog post on Thursday that members of the private forum “pointed out that his RIG prices were nearly 40% higher than the official sellers (typical of a re-seller not a developer).”

Code is legit, no exploits included

In the beginning, there was no confirmation that the leaked code was in fact for RIG exploit kit. However, the researcher says in an update to the original post that three people confirmed the legitimacy of the code, which was for “a fairly recent version of the pack.”

The database included in the leak revealed about 1,200 infections, researchers at Trustwave say after analyzing it. By comparison, the total number of RIG infections collected by Trustwave is of around 418,000, with a very high exploitation rate of 33%.

As per the information from the security company, Flash accounted for most of the infections, impacting 170,000 machines.

RIG exploit kit is a popular browser-based attack tool that can be used to deliver all sorts of malware, from banking Trojans to ransomware with file-encrypting capabilities.

The current leak did not include any exploits since exploitation with RIG is done on a backend server. Because of this, MalwareTech decided to make the source code publicly available so that researchers can take a look at it and improve security products.

Trustwave warns that, although this leak may cause the experienced cybercriminals to slow down their activity for the moment, it would also allow less experienced hackers (script kiddies) to deploy infection schemes for a fast buck.