RIG EK delivers Grobios trojan

Exploit kit activity has been declining since the latter half of 2016, but we do still periodically observe significant developments in this space and the RIG EK seems to buck the trend. It’s been involved in an ongoing activity involving a wide range of crimeware payloads; and the latest campaign saw RIG dropping the Grobios malware, which is tailored to be a really stealthy backdoor and takes great pains to avoid detection and evade virtual and sandbox environments.

The campaign was first seen on March 10 by FireEye Labs, redirecting victims to a compromised domain, latorre[.]com[.]au, with a malicious iframe injected into it. That iframe, in turn, loads a malvertisement domain, which communicates over SSL and leads to the RIG EK landing page. RIG then loads a malicious Flash file which when opened drops the Grobios trojan.

The Trojan’s main hallmark is an impressive arsenal of evasion and anti-sandbox techniques, according to FireEye researchers. Researchers and blog post co-authors Irshad Muhammad, Shahzad Ahmed, Hassan Faizan, Zain Gardezi, report that the developers clearly tried to impede any attempts to dissect the malware, as it was well-protected with multiple anti-debugging and anti-analysis and anti-VM techniques to hide its behaviour and C2 traffic.

“The main purpose of Grobios malware is to help attacker establish a strong foothold in the system by employing various kinds of evasions and anti-VM techniques,” Ali Islam, director of FireEye, told Threatpost. “Once a strong foothold is established, an attacker can drop a payload of his/her choice, which can be anything from an info stealer to ransomware, etc.”

In an effort to evade static detection, the studied Grobios sample was packed with the Windows executables compression tool PECompact. "The unpacked sample has no function entries in the import table," the blog post states. "It uses API hashing to obfuscate the names of API functions it calls and parses the PE header of the DLL files to match the name of a function to its hash. The malware also uses stack strings."