Mirrors/APT_CyberCriminal_Campagin_Collections
6
0
Fork 0
mirror of https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections synced 2024-06-25 00:10:26 +00:00
Code Issues Projects Releases Wiki Activity
625ff1ea13
APT_CyberCriminal_Campagin_.../2016/2016.01.07.rigging-compromise/Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit.html
CyberMonitor 7cd6ba7319 go
2017-02-11 15:00:00 +08:00

3386 lines
126 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<!-- saved from url=(0058)http://blog.talosintel.com/2016/01/rigging-compromise.html -->
<html class="v2" dir="ltr" xmlns="http://www.w3.org/1999/xhtml" xmlns:b="http://www.google.com/2005/gml/b" xmlns:data="http://www.google.com/2005/gml/data" xmlns:expr="http://www.google.com/2005/gml/expr"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta content="width=1100" name="viewport">
<script async="" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/async-ads.js"></script><script async="" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/async-ads.js"></script><script async="" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/async-ads.js"></script><script src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/cb=gapi.loaded_1" async=""></script><script src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/cb=gapi.loaded_0" async=""></script><script async="" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/analytics.js"></script><script type="text/javascript">(function() { (function(){function c(a){this.t={};this.tick=function(a,c,b){var d=void 0!=b?b:(new Date).getTime();this.t[a]=[d,c];if(void 0==b)try{window.console.timeStamp("CSI/"+a)}catch(e){}};this.tick("start",null,a)}var a;window.performance&&(a=window.performance.timing);var h=a?new c(a.responseStart):new c;window.jstiming={Timer:c,load:h};if(a){var b=a.navigationStart,e=a.responseStart;0<b&&e>=b&&(window.jstiming.srt=e-b)}if(a){var d=window.jstiming.load;0<b&&e>=b&&(d.tick("_wtsrt",void 0,b),d.tick("wtsrt_",
"_wtsrt",e),d.tick("tbsd_","wtsrt_"))}try{a=null,window.chrome&&window.chrome.csi&&(a=Math.floor(window.chrome.csi().pageT),d&&0<b&&(d.tick("_tbnd",void 0,window.chrome.csi().startE),d.tick("tbnd_","_tbnd",b))),null==a&&window.gtbExternal&&(a=window.gtbExternal.pageT()),null==a&&window.external&&(a=window.external.pageT,d&&0<b&&(d.tick("_tbnd",void 0,window.external.startE),d.tick("tbnd_","_tbnd",b))),a&&(window.jstiming.pt=a)}catch(k){}})();window.tickAboveFold=function(c){var a=0;if(c.offsetParent){do a+=c.offsetTop;while(c=c.offsetParent)}c=a;750>=c&&window.jstiming.load.tick("aft")};var f=!1;function g(){f||(f=!0,window.jstiming.load.tick("firstScrollTime"))}window.addEventListener?window.addEventListener("scroll",g,!1):window.attachEvent("onscroll",g);
})();</script>
<meta content="blogger" name="generator">
<link href="http://blog.talosintel.com/favicon.ico" rel="icon" type="image/x-icon">
<link href="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit.html" rel="canonical">
<link rel="alternate" type="application/atom+xml" title="Cisco Talos Blog - Atom" href="http://blog.talosintel.com/feeds/posts/default">
<link rel="alternate" type="application/rss+xml" title="Cisco Talos Blog - RSS" href="http://blog.talosintel.com/feeds/posts/default?alt=rss">
<link rel="service.post" type="application/atom+xml" title="Cisco Talos Blog - Atom" href="https://www.blogger.com/feeds/1029833275466591797/posts/default">
<link rel="alternate" type="application/atom+xml" title="Cisco Talos Blog - Atom" href="http://blog.talosintel.com/feeds/1476026378647980857/comments/default">
<!--[if IE]><script type="text/javascript" src="https://www.blogger.com/static/v1/jsbin/3975134397-ieretrofit.js"></script>
<![endif]-->
<link href="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/01-js.png" rel="image_src">
<!--[if IE]> <script> (function() { var html5 = ("abbr,article,aside,audio,canvas,datalist,details," + "figure,footer,header,hgroup,mark,menu,meter,nav,output," + "progress,section,time,video").split(','); for (var i = 0; i < html5.length; i++) { document.createElement(html5[i]); } try { document.execCommand('BackgroundImageCache', false, true); } catch(e) {} })(); </script> <![endif]-->
<title>Cisco Talos Blog: Rigging compromise - RIG Exploit Kit </title>
<link href="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/css" rel="stylesheet">
<link href="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/bootstrap.scss" rel="stylesheet">
<script src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/jquery-1.11.3.min.js"></script>
<script src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/bootstrap.min.js"></script>
<link type="text/css" rel="stylesheet" href="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/2973171168-css_bundle_v2.css">
<link type="text/css" rel="stylesheet" href="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/gsearch.css">
<link type="text/css" rel="stylesheet" href="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/authorization.css">
<style id="page-skin-1" type="text/css"><!--
body {
background-color: #26282A;
color: #FFFFFF;
font-family: 'Roboto', sans-serif;
font-weight: 100;
font-size: 11.5pt;
line-height: 1.5em !important;
}
#header {
display: none;
}
a {
text-decoration: none;
}
.widget {
line-height: 1.5em;
}
/********* Navigation styles **********/
#nav {
height: 83px;
max-height: 83px;
margin: auto;
text-align: center;
font-family: 'Exo 2', sans-serif;
text-transform: uppercase;
font-weight: 300;
font-size: 10pt;
background-color: #212224;
}
#nav_logo {
position: absolute;
z-index: 9000;
left: 0;
right: 0;
margin: auto;
max-height: 115px;
width: 25%;
min-width: 150px;
max-width: 272px;
}
#nav_logo img {
width: 100%;
height: auto;
}
#nav ul {
height: 70px;
list-style: none;
}
#left_nav {
width: 50%;
float: left;
text-align: right;
}
#left_nav ul {
text-align: right;
display: block;
}
#left_nav ul.first {
margin-right: 140px;
margin-top: 10px;
padding: 0;
}
#right_nav ul.first {
margin-left: 100px;
margin-top: 10px;
}
#right_nav {
width: 50%;
float: right;
text-align: left;
}
#nav a {
color: #9ea0a5;
text-decoration: none;
}
#nav li {
text-align: center;
padding: 3px 2.3% 0 2.3%;
height: 60px;
}
#right_nav li {
float: left;
position: relative;
}
#left_nav li {
float: right;
position: relative;
}
#left_nav li:hover, #right_nav li:hover, #left_nav li.active, #right_nav li.active {
box-shadow: 0 9px 0 0 #212224,0 13px 0 0 #385b70;
}
#left_nav li.active::before, #left_nav li:hover::before, #right_nav li:hover::before, #right_nav li.active::before {
background-color: #385b70;
width: 12px;
height: 12px;
border-radius: 6px;
content: ' ';
bottom: -17px;
left: 45%;
position: absolute;
z-index: 99999;
}
li.no_icon span {
padding-top: 33px;
display:block;
}
.social_media img {margin-top: 2px;}
.social_second {padding: 5px 0 0 1.65% !important;}
.social_second img {padding-bottom: 4px;}
.social_first {
padding-left: 1.65% !important;
padding-right: 1.65% !important;
}
#nav .nav_icon img {
width: 34px;
height: auto;
padding-bottom: 7px;
}
#nav_desktop .nav_icon.blog img {
padding-bottom: 2px !important;
margin-top: -1px;
}
#nav .right_border {border-right: 2px solid #36373a;}
#nav .left_border {border-left: 2px solid #36373a;}
#nav .top_border {border-top: 2px solid #36373a;}
#nav_mobile {
display: block;
position: absolute;
z-index: 6000;
width: 100%;
padding-top: 70px;
}
#nav_desktop {
display: none;
}
@media (min-width: 1100px) {
#nav_desktop {
display: block;
}
#nav_mobile {
display: none;
}
}
.break {
display: none;
}
@media (min-width: 1100px) and (max-width: 1425px){
.break {
display: inline !important;
}
#nav li {
line-height: 1em;
}
}
@media (min-width: 1425px) {
#nav li {
padding: 3px 2.3% 0 2.3%;
}
}
#nav_mobile ul {
padding-left: 0;
}
#nav_mobile ul li {
background-color: #212224;
float: none;
display: block;
border-bottom: 2px solid #36373a;
padding: 10px 5%;
width: 100%;
height: 50px;
text-align: left;
font-size: 10pt;
line-height: 2em;
-webkit-transition: background .5s;
transition: background .5s;
}
@media (min-width: 400px) {
#nav_mobile ul li {
padding: 0 15% !important;
line-height: 3.75em;
}
}
#nav_mobile ul li:hover {
background-color: #303338;
}
#nav_mobile img {
width: 34px;
height: auto;
margin-right: 20px;
margin-left: 10%;
float: left;
padding-top: 10px;
}
.spacer {
width: 34px;
height: 50px;
display: inline-block;
margin-right: 20px;
margin-left: 10%;
float: left;
}
#menu_button {
position: absolute;
z-index: 1600;
top: 12px;
right: 12px;
padding: 5px 8px 4px 8px;
background-color: #212224;
border: 2px solid #36373a;
box-shadow: none;
border-radius: 2px;
-webkit-transition: background .5s;
transition: background .5s;
}
#menu_button:hover {
background-color: #303338;
}
@font-face {
font-family: 'Glyphicons Halflings';
src: url('http://talosintel.com/files/blog_files/fonts/glyphicons-halflings-regular.eot');
src: url('http://talosintel.com/files/blog_files/fonts//glyphicons-halflings-regular.eot?#iefix') format('embedded-opentype'), url('http://talosintel.com/files/blog_files/fonts/glyphicons-halflings-regular.woff2') format('woff2'), url('http://talosintel.com/files/blog_files/fonts/glyphicons-halflings-regular.woff') format('woff'), url('http://talosintel.com/files/blog_files/fonts/glyphicons-halflings-regular.ttf') format('truetype'), url('http://talosintel.com/files/blog_files/fonts/glyphicons-halflings-regular.svg#glyphicons_halflingsregular') format('svg');
}
.glyphicon {
position: relative;
top: 1px;
display: inline-block;
font-family: 'Glyphicons Halflings';
font-style: normal;
font-weight: normal;
line-height: 1;
-webkit-font-smoothing: antialiased;
-moz-osx-font-smoothing: grayscale;
box-sizing: border:box;
border: 0;
border-image-repeat: stretch;
border-image-slice: 100%;
margin: 0;
padding: 0;
-webkit-user-select: none;
white-space: nowrap;
word-spacing: 0px;
}
#menu_button .glyphicon {
font-size: 14pt;
color: #9EA0A5;
text-shadow: none;
}
.glyphicon-menu-hamburger:before {
content: "\e236";
box-sizing: border-box;
}
.collapse {
display: none;
}
.collapse.in {
display: block;
}
.collapsing {
position: relative;
height: 0;
overflow: hidden;
-webkit-transition-property: height, visibility;
-o-transition-property: height, visibility;
transition-property: height, visibility;
-webkit-transition-duration: 0.35s;
-o-transition-duration: 0.35s;
transition-duration: 0.35s;
-webkit-transition-timing-function: ease;
-o-transition-timing-function: ease;
transition-timing-function: ease;
}
/*********** Footer Styles *********/
#footer {
clear: both;
min-height: 110px;
text-align: center;
color: #747678;
font-size: 10.5pt;
font-family: 'Exo 2', sans-serif;
font-weight: 400;
width: 100%;
background-color: #212224;
display: block;
}
#footer .footer_nav_wrapper {
max-width: 1100px;
margin: auto;
}
#footer ul {
margin: auto;
list-style: none;
}
ul.footer_nav {
text-align: center;
padding: 0 20px;
}
@media screen and (min-width: 992px) {
ul.footer_nav {
text-align: left;
}
}
.nopad {
margin: 0;
padding: 0;
}
ul.footer_nav li.list_col {
text-align: center;
}
ul.footer_nav li ul li {
padding: 1px 0;
}
/* styles for full width nav col with straight 1 col list of links - small mobile screens */
ul.footer_nav li ul.pad.second.last {
padding-bottom: 32px;
}
ul.footer_nav li ul.pad.first.top {
padding-top: 32px;
padding-left: 0;
}
ul.footer_nav ul {
padding-left: 0;
}
@media screen and (min-width: 450px) {
/* styles for full width nav col, 2 list cols */
ul.footer_nav li ul.pad {
padding: 32px 30px 32px 0;
}
ul.footer_nav li ul.pad.last {
padding-right: 0;
padding-left: 0;
}
ul.footer_nav li ul.pad.second {
padding-top: 0;
}
ul.footer_nav li ul.pad.first {
padding-bottom: 0;
}
ul.footer_nav li.list_col {
display: inline-block;
text-align: left;
}
}
@media screen and (min-width: 800px) {
/* styles for full width nav col, 4 list cols */
ul.footer_nav li ul.pad.first, ul.footer_nav li ul.pad.second {
padding: 32px 30px 32px 0;
}
li.nopad {
display:inline-block;
}
}
@media screen and (min-width: 1050px) {
/* styles for full width nav col, expanded 4 list cols - large screens */
ul.footer_nav li ul.pad {
padding: 32px 40px 32px 0;
}
}
#footer .footer_corporate img {
max-width: 85px;
margin-top: 20px;
}
.underline {
text-decoration: underline;
}
.footer_corporate {
padding-bottom: 15px;
border-top: 2px solid #3f4143;
line-height: 1.35em;
}
#footer h5 {
font-weight: 400;
font-size: 11pt;
text-align: center;
color: #747678;
letter-spacing: .25pt;
}
.row {
clear: both;
}
@media screen and (min-width: 992px) {
.connect_social ul {
text-align: right;
padding-right: 20px;
padding-bottom: 0;
}
.connect_social {
width: 25%;
display:inline-block;
}
.col-md-9 {
width:75%;
float: left;
}
#footer h5 {
padding-top: 35px;
text-align: right;
padding-right: 52px;
}
}
.connect_social ul {
text-align: center;
padding-right: 0;
padding-bottom: 15px;
padding-left: 0;
}
.connect_social ul li {
display: inline-block;
}
.connect_social ul li img {
width: 33px;
height: 33px;
margin: 5px 3px;
}
#footer a {
color: rgb(94, 95, 96);
cursor: pointer;
}
#footer a:hover {color: #f19615;}
/*********** Layout Styles *********/
.col_single {
max-width: 1100px;
width: 90%;
margin: 0px auto;
background-color: #303338;
height: 100%;
float: none;
padding: 80px 0px;
}
#main-wrapper {
margin-left: 2%;
width: 98%;
display: inline;
word-wrap: break-word;
overflow: hidden;
}
@media (min-width: 950px) {
#main-wrapper {
width: 67%;
float: left;
}
}
.full-height {
height: 100%
}
#content-wrapper {
display: inline-block;
}
/*********** Sidebar Styles ************/
#sidebar-wrapper {
margin-right: 2%;
display: inline;
word-wrap: break-word;
overflow: hidden;
padding-top: 20px;
border-left: 2px solid #26282A;
}
@media (min-width: 950px) {
#sidebar-wrapper {
width: 25%;
float: right;
}
}
.sidebar h2 {
font-family: 'Exo 2', sans-serif;
font-weight: 700;
color: #3f7b9f;
text-transform: uppercase;
font-size: 11pt;
letter-spacing: 1.5pt;
}
.sidebar ul li {
font-size: 9pt;
}
.sidebar .widget {
border-bottom: 2px solid #5c656d;
margin: 0 0 1.5em;
padding: 0 0 1.5em;
}
a.post-count-link {
font-family: 'Exo 2', sans-serif;
color: #9EA0A5;
text-transform: uppercase;
letter-spacing: 1.5pt;
font-weight: 500;
}
a.post-count-link:hover {
color: #f19615;
}
.posts a {
color: #ffffff;
}
.posts a:hover {
color: #f19615;
}
/** zippy is the triangle expanders **/
.zippy {
color: #9EA0A5;
}
.subscribe-wrapper {
margin: 0.5em 0;
}
div.subscribe {
background-color: #5c656d;
font-size: 10pt;
font-weight: 100 !important;
color: #ffffff;
border-radius: 2px;
width: 100%;
line-height: 2em;
padding: 1px;
margin: 8px 0;
transition: background-color 0.5s ease;
}
div.subscribe:hover {
background-color: #9EA0A5;
}
div.subscribe div.top, div.subscribe div.bottom {
background-image: none !important;
width: 100%;
}
.feed-icon {
padding: 4px 10px 6px 5px;
width: 15px;
height: auto;
vertical-align: middle;
}
.subscribe-dropdown-arrow {
margin-top: 3px;
margin-left: 10px;
}
a.feed-reader-link {
color: #ffffff !important;;
}
.gsc-search-button {
background-color: #5c656d;
border-radius: 2px;
border: none;
color: #ffffff;
}
input.gsc-input {
width: 95% !important;
height: 20px;
}
form.gsc-search-box {
margin-top: 7px !important;
}
#Gadget1 h2 {
display: none;
}
#Gadget1 {
text-align: left;
}
.blog-content, .blog-content a {
color: #ffffff;
text-decoration: none;
}
.blog-title, .blog-title a {
font-family: 'Exo 2', sans-serif;
color: #9EA0A5;
text-transform: uppercase;
letter-spacing: 1.5pt;
font-weight: 500;
text-decoration: none;
padding-bottom: 4px;
}
.blog-title a:hover, .blog-content a:hover {
color: #f19615;
}
.blog-list-container .blog-icon {
display: none;
}
/*********** Blog Post Styles ***********/
.post-outer {
margin-bottom: 40px;
}
.date-header {
font-family: 'Exo 2', sans-serif;
font-weight: 700;
color: #9EA0A5;
text-transform: uppercase;
font-size: 9pt;
letter-spacing: 1.5pt;
padding-bottom: 5px;
}
.date-outer {padding: 0;}
.date-outer a {
color: #ffffff;
box-shadow: 0px 1px 0px 0px #F19615;
text-decoration: none;
}
.post-title, .post-title a {
font-family: 'Exo 2', sans-serif;
font-size: 19pt;
font-weight: 400;
text-transform: uppercase;
color: #3f7b9f;
text-decoration: none;
padding-bottom: 20px;
box-shadow: none;
}
h3 {
font-family: 'Exo 2', sans-serif;
font-weight: 500;
color: #3f7b9f;
font-size: 14pt;
text-transform: uppercase;
padding-top: 20px;
}
h5 {
font-family: 'Exo 2', sans-serif;
font-weight: 700;
color: #587282;
font-size: 9pt;
text-transform: uppercase;
letter-spacing: 1.5pt;
margin: 0;
padding-top: 10px;
}
pre {
font-family: 'Fira Mono', monospace;
font-size: 10pt !important;
line-height: 1.5em !important;
color: #f19615;
border: 2px solid #5c656d;
padding: 20px;
background-color: #26282a;
margin: 30px 0;
white-space: pre-wrap; /* css-3 */
white-space: -moz-pre-wrap; /* Mozilla, since 1999 */
white-space: -pre-wrap; /* Opera 4-6 */
white-space: -o-pre-wrap; /* Opera 7 */
word-wrap: break-word;
max-width: 700px;
}
.entry-content h2 {
font-family: 'Exo 2', sans-serif;
font-weight: 400;
color: #3f7b9f;
text-transform: uppercase;
font-size: 14pt;
letter-spacing: 1.5pt;
}
.entry-content, .post-body {
color: #FFFFFF;
font-family: 'Roboto', sans-serif;
font-weight: 100;
font-size: 11.5pt;
line-height: 1.5em !important;
}
.entry-content i {
word-wrap: break-word; /* Specifically for mobile display */
overflow-wrap: break-word;
word-break: break-all;
}
.entry-content img {
max-width: 100%;
height: auto;
margin-top: 30px;
margin-bottom: 10px;
}
figcaption {
font-size: 10pt;
color: #ec6e08;
font-weight: 500;
margin-bottom: 30px;
text-align: left;
}
@media (min-width: 950px) {
max-width: 700px;
height: auto;
}
.post-body {
margin-top: 10px;
}
.post-body table {
}
p {
padding: .75em 0;
margin: 0;
}
.post-footer {
margin: 40px 0 15px 0;
}
.post-footer-line a, .comment-author a, .comment-timestamp a, .comment-footer a {
text-decoration: none;
box-shadow: none;
color: #f19615;
}
.post-footer-line, .comment-author, .comment-timestamp, .comment-footer {
color: #9EA0A5;
font-size: 9pt;
letter-spacing: 1.5pt;
font-family: 'Exo 2', sans-serif;
font-weight: 400;
text-transform: uppercase;
}
.post {
margin: .5em 0 1.5em;
border-bottom: 1px solid #5c656d;
padding-bottom: 1.5em;
}
#comments {
border-bottom: 1px solid #5c656d;
padding: 20px 0;
margin-bottom: 40px;
}
.comment {
border-bottom: 1px solid #5c656d;
}
#comments .blogger-comment-icon, .blogger-comment-icon {
padding: 0;
background: none;
}
.comment-author {
border-top: 1px solid #5c656d;
padding-top: 20px !important;
}
.comments .avatar-image-container {
display:none;
}
.comment-header .user, .comment-header .user a {
color: #f19615;
font-family: 'Exo 2', sans-serif;
font-weight: 500 !important;
text-transform: uppercase;
box-shadow: none;
}
.comment-header .datetime, .comment-header .datetime a {
color: #9EA0A5;
font-family: 'Exo 2', sans-serif;
font-weight: 300;
text-transform: uppercase;
box-shadow: none;
}
.comments .comment-replybox-thread {
margin-top: 40px;
}
h4 {
font-family: 'Exo 2', sans-serif;
font-weight: 500;
text-transform: uppercase;
color: #9EA0A5;
}
img.email {
width: 25px;
height: auto;
}
.blog-pager, .feed-links {
color: #9EA0A5;
font-size: 9pt;
letter-spacing: 1.5pt;
font-family: 'Exo 2', sans-serif;
font-weight: 400;
text-transform: uppercase;
}
.blog-pager a, .feed-links a {
box-shadow: none;
color: #f19615;
}
.social-media-share a {
box-border: none !important;
}
.social-media-share {
margin-top: 15px;
}
.social-media-share img {
width: 25px;
height: 25px;
margin-right: 8px;
}
.social-media-share span {
font-family: 'Exo 2', sans-serif;
font-weight: 500;
text-transform: uppercase;
color: #9EA0A5;
}
.social-call {
float: left;
padding-top: 4px;
margin-right: 15px;
}
iframe {
margin: 20px 0;
max-width: 100%;
}
/****** Search & Label Filter Results ****/
.status-msg-wrap {
width: 100%;
border-bottom: 1px solid #5c656d;
text-align: left;
padding-bottom: 10px;
margin-bottom: 20px;
}
.status-msg-body {
text-align: left;
letter-spacing: 1.5pt;
font-family: 'Exo 2', sans-serif;
font-weight: 300;
text-transform: uppercase;
}
.status-msg-body a {
text-decoration: none;
color: #3f7b9f;
font-weight: 500;
}
.status-msg-body b {
color: #f19615;
}
.status-msg-bg {
background-color: transparent;
}
.status-msg-border {
border: none;
}
#uds-searchControl .gsc-results {
background-color: transparent !important;
border-bottom: 2px solid #5c656d !important;
border-top: 0 !important;
border-left: 0 !important;
border-right: 0 !important;
}
.gsc-result {
margin-bottom: 10px !important;
padding-bottom: 10px !important;
}
.gs-relativePublishedDate {
font-family: "Exo 2",sans-serif;
font-weight: 500;
font-size: 9pt;
color: #9EA0A5 !important;
text-transform: uppercase;
letter-spacing: 1.5pt;
}
#uds-searchControl .gs-result .gs-title, #uds-searchControl .gs-result .gs-title *, #uds-searchControl .gsc-results .gsc-trailing-more-results, #uds-searchControl .gsc-results .gsc-trailing-more-results * {
font-family: "Exo 2",sans-serif;
font-weight: 700;
text-transform: uppercase;
letter-spacing: 1.5pt;
color: #6a8596 !important;
text-decoration: none !important;
}
#uds-searchControl .gs-result .gs-title b {
color: #F19615 !important;
}
.gs-visibleUrl a.gs-visibleUrl {
color: #ffffff !important;
text-decoration: none;
box-shadow: 0px 1px 0px 0px #F19615;
line-height: 2em !important;
}
.gsc-url-bottom .gs-visibleUrl {
color: #F19615 !important;
font-weight: 700;
line-height: 2em !important;
text-decoration: underline;
}
#uds-searchControl .gsc-cursor-current-page {
color: #ffffff;
}
.gs-snippet {
padding-top: 5px !important;
}
#uds-searchControl .gsc-tabHeader.gsc-tabhActive {
background-color: #9EA0A5;
text-transform: uppercase;
font-family: "Exo 2",sans-serif;
}
#uds-searchControl .gsc-tabHeader.gsc-tabhInactive {
background-color: #5c656d;
text-transform: uppercase;
font-family: "Exo 2",sans-serif;
}
#uds-searchControl .gsc-tabHeader.gsc-tabhActive, #uds-searchControl .gsc-tabHeader.gsc-tabhInactive {
border: none !important;
border-top-left-radius: 4px;
border-top-right-radius: 4px;
font-weight: 600;
color: #212224;
padding: 3px 10px;
margin: 0 2px 0 0;
}
.gsc-tabsArea {
margin-bottom: 0 !important;
}
.gsc-above-wrapper-area {
padding: 5px 0 1px 0 !important;
border-bottom: 2px solid #9EA0A5 !important;
}
#uds-searchControl .gsc-cursor-current-page {
color: #ffffff !important;
}
.gsc-results .gsc-cursor-box .gsc-cursor-page {
text-decoration: none !important;
color: #9EA0A5 !important;
}
#uds-searchClearResults {
height: 15px !important;
width: 15px !important;
border-width: 2px !important;
}
.gsc-result-info {
color: #ffffff !important;
}
.gsc-webResult .gsc-result {
border-bottom: 1px solid #5c656d !important;
}
.gs-per-result-labels {
text-transform: uppercase;
font-family: "Exo 2",sans-serif;
font-size: 9pt;
color: #9EA0A5 !important;
font-weight: 500;
}
.gs-webResult div.gs-per-result-labels a.gs-label {
text-transform: uppercase;
font-family: "Exo 2",sans-serif;
font-size: 9pt;
color: #3f7b9f !important;
font-weight: 700;
text-decoration: none !important;
}
#Navbar1 {dispaly:none!important;}
--></style>
<script type="text/javascript">
if (window.jstiming) window.jstiming.load.tick('headEnd');
</script><script type="text/javascript" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/saved_resource"></script><link type="text/css" href="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/default+en.css" rel="stylesheet"><script type="text/javascript" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/default+en.I.js"></script></head>
<body>
<div class="section" id="header"></div>
<!-- Navigation from Talos Intel website -->
<!-- Desktop display navigation -->
<nav id="nav">
<div id="nav_logo">
<a class="page-link" href="http://talosintel.com/">
<img alt="Talos" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/talos_navlogo.svg">
</a>
</div>
<div id="nav_desktop">
<div id="left_nav">
<ul class="first nav_icon">
<li>
<a href="http://talosintel.com/additional-resources/">
<img alt="Additional Resources" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon_resources.svg">
<br>Additional<span class="break"><br></span> Resources
</a>
</li>
<li class="right_border">
<a href="http://talosintel.com/vulnerability-reports/">
<img alt="Vulnerability Reports" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon_vulnreports.svg">
<br>Vulnerability<span class="break"><br></span> Reports
</a>
</li>
<li class="right_border">
<a href="http://talosintel.com/community/">
<img alt="Community" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon_community.svg">
<br>Community
</a>
</li>
<li class="right_border">
<a href="http://talosintel.com/software/">
<img alt="Software" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon_software.svg">
<br>Software
</a>
</li>
</ul>
</div>
<div id="right_nav">
<ul class="first">
<li class="nav_icon">
<a href="http://talosintel.com/about/">
<img alt="About" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon_about.svg">
<br>About Talos
</a>
</li>
<li class="left_border nav_icon">
<a href="http://talosintel.com/careers/">
<img alt="Careers" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon_join.svg">
<br>Join Our Team
</a>
</li>
<li class="left_border nav_icon">
<a href="http://talosintel.com/contact/">
<img alt="Contact" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon_contact.svg">
<br>Contact Us
</a>
</li>
<li class="nav_icon blog left_border">
<a href="http://blog.talosintel.com/">
<img alt="Blog" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon_blog.svg">
<br>Blog
</a>
</li>
</ul>
</div>
</div>
<!-- Navigation for Mobile display -->
<div id="nav_mobile">
<button aria-controls="mobile_links" aria-expanded="false" aria-label="Menu" class="btn" data-target="#mobile_links" data-toggle="collapse" id="menu_button" type="button">
<span aria-hidden="true" class="glyphicon glyphicon-menu-hamburger"></span>
</button>
<ul class="collapse" id="mobile_links">
<li class="top_border">
<a href="http://talosintel.com/software/">
<img alt="Software" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon_software.svg">Software
</a>
</li>
<li>
<a href="http://talosintel.com/community/">
<img alt="Community" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon_community.svg">Community
</a>
</li>
<li>
<a href="http://talosintel.com/vulnerability-reports/">
<img alt="Vulnerability Reports" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon_vulnreports.svg">Vulnerability Reports
</a>
</li>
<li>
<a href="http://talosintel.com/additional-resources/">
<img alt="Additional Resources" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon_resources.svg">Additional Resources
</a>
</li>
<li>
<a href="http://talosintel.com/about/">
<img alt="About" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon_about.svg">About Talos
</a>
</li>
<li>
<a href="http://talosintel.com/careers/">
<img alt="Careers" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon_join.svg">Join Us
</a>
</li>
<li>
<a href="http://talosintel.com/contact/">
<img alt="Contact" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon_contact.svg">Contact Us
</a>
</li>
<li>
<a href="http://blog.talosintel.com/">
<img alt="Blog" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon_blog.svg">Blog
</a>
</li>
<li>
<a href="https://twitter.com/talossecurity" target="_blank">
<img alt="Twitter" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon_twitter.svg">Follow Us On Twitter
</a>
</li>
<li>
<a href="https://www.youtube.com/playlist?list=PLFT-9JpKjRTDn_qtGN238gzycJfaVzMqD" target="_blank">
<img alt="YouTube" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon_youtube.svg">
Watch Us On YouTube
</a>
</li>
</ul>
</div>
</nav>
<div class="container-fluid full-height">
<div class="row full-height">
<div class="col-xs-12 col_single">
<div class="row">
<div class="col-xs-12 publication" id="content-wrapper">
<div id="main-wrapper">
<div class="main section" id="main"><div id="uds-searchControl"><a name="uds-search-results"></a><div id="uds-searchResults"><div class="gsc-control" dir="ltr"><div class="gsc-results-wrapper-nooverlay"><div class="gsc-tabsAreaInvisible"><div class="gsc-tabHeader gsc-inline-block gsc-tabhActive">This Blog</div><span class="gs-spacer"> </span><div tabindex="0" class=" gsc-tabHeader gsc-tabhInactive gsc-inline-block">Linked From Here</div><span class="gs-spacer"> </span><div tabindex="0" class=" gsc-tabHeader gsc-tabhInactive gsc-inline-block">The Web</div><span class="gs-spacer"> </span></div><div class="gsc-above-wrapper-area-invisible"><table cellspacing="0" cellpadding="0" class="gsc-above-wrapper-area-container"><tbody><tr><td class="gsc-result-info-container"><div class="gsc-result-info-invisible"></div></td></tr></tbody></table></div><div class="gsc-resultsbox-invisible"><div class="gsc-resultsRoot gsc-tabData gsc-tabdActive"><table cellspacing="0" cellpadding="0" class="gsc-resultsHeader"><tbody><tr><td class="gsc-twiddleRegionCell"><div class="gsc-twiddle"><div class="gsc-title">This Blog</div></div><div class="gsc-stats"></div><div class="gsc-results-selector gsc-more-results-active"><div class="gsc-result-selector gsc-one-result" title="show one result">&nbsp;</div><div class="gsc-result-selector gsc-more-results" title="show more results">&nbsp;</div><div class="gsc-result-selector gsc-all-results" title="show all results">&nbsp;</div></div></td><td class="gsc-configLabelCell"></td></tr></tbody></table><div><div class="gsc-expansionArea"></div></div></div><div class="gsc-resultsRoot gsc-tabData gsc-tabdInactive"><table cellspacing="0" cellpadding="0" class="gsc-resultsHeader"><tbody><tr><td class="gsc-twiddleRegionCell"><div class="gsc-twiddle"><div class="gsc-title">Linked From Here</div></div><div class="gsc-stats"></div><div class="gsc-results-selector gsc-more-results-active"><div class="gsc-result-selector gsc-one-result" title="show one result">&nbsp;</div><div class="gsc-result-selector gsc-more-results" title="show more results">&nbsp;</div><div class="gsc-result-selector gsc-all-results" title="show all results">&nbsp;</div></div></td><td class="gsc-configLabelCell"></td></tr></tbody></table><div><div class="gsc-expansionArea"></div></div></div><div class="gsc-resultsRoot gsc-tabData gsc-tabdInactive"><table cellspacing="0" cellpadding="0" class="gsc-resultsHeader"><tbody><tr><td class="gsc-twiddleRegionCell"><div class="gsc-twiddle"><div class="gsc-title">The Web</div></div><div class="gsc-stats"></div><div class="gsc-results-selector gsc-more-results-active"><div class="gsc-result-selector gsc-one-result" title="show one result">&nbsp;</div><div class="gsc-result-selector gsc-more-results" title="show more results">&nbsp;</div><div class="gsc-result-selector gsc-all-results" title="show all results">&nbsp;</div></div></td><td class="gsc-configLabelCell"></td></tr></tbody></table><div><div class="gsc-expansionArea"></div></div></div></div></div></div></div><div id="uds-searchClearResults" class="gsc-clear-button" style="display: none;">&nbsp;</div></div><div class="widget Blog" id="Blog1">
<div class="blog-posts hfeed">
<div class="date-outer">
<h2 class="date-header"><span>Thursday, January 7, 2016</span></h2>
<div class="date-posts">
<div class="post-outer">
<div class="post hentry uncustomized-post-template" itemprop="blogPost" itemscope="itemscope" itemtype="http://schema.org/BlogPosting">
<meta content="http://1.bp.blogspot.com/-KYsiHbwv39Y/Vo6YDnix8oI/AAAAAAAAATo/k8MhIHC894w/s640/01-js.png" itemprop="image_url">
<meta content="1029833275466591797" itemprop="blogId">
<meta content="1476026378647980857" itemprop="postId">
<a name="1476026378647980857"></a>
<h3 class="post-title entry-title" itemprop="name">
Rigging compromise - RIG Exploit Kit
</h3>
<div class="post-header">
<div class="post-header-line-1"></div>
</div>
<div class="post-body entry-content" id="post-body-1476026378647980857" itemprop="description articleBody">
<i>This post was authored by <a href="http://blogs.cisco.com/author/NickBiasini">Nick Biasini</a> with contributions by <a href="http://blogs.cisco.com/author/JoelEsler">Joel Esler</a>.</i><br>
<br>
Exploit Kits are one of the biggest threats that affects users, both inside and outside the enterprise, as it indiscriminately compromises simply by visiting a web site, delivering a malicious payload. One of the challenges with exploit kits is at any given time there are numerous kits active on the Internet. RIG is one of these exploit kits that is always around delivering malicious payloads to unsuspecting users. RIG first appeared in our telemetry back in <a href="http://blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html">November of 2013</a>, back then we referred to it as <a href="http://blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html">Goon</a>, today it's known as RIG.<br>
<br>
We started focusing on RIG and found some interesting data similar to what we found while analyzing <a href="http://www.talosintel.com/angler-exposed/">Angler</a>. This post will discuss RIG, findings in the data, and what actions were taken as a result.<br>
<br>
<h3>
The Exploit Kit Overview</h3>
<br>
RIG compromises users like any exploit kit. It starts with a user being redirected to a landing page. This is done via malicious iframes or malvertising and looks similar the following:<br>
<br>
It begins with an initial link to a javascript:<br>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-KYsiHbwv39Y/Vo6YDnix8oI/AAAAAAAAATo/k8MhIHC894w/s1600/01-js.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="140" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/01-js.png" width="640"></a></div>
<br>
<br>
<a name="more"></a><br>
<br>
Then when the browser is redirected it receives the following:<br>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-KVLJ3IULXQw/Vo6amuFRw0I/AAAAAAAAATw/YxHQ81yrL8w/s1600/02-browser.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="275" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/02-browser.png" width="640"></a></div>
<br>
<br>
This page is just a simple iframe that retrieves the actual landing page. The request for the landing page looks like:<br>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-KWk9_CBKvog/Vo6auuoOCgI/AAAAAAAAAT4/SvNMtgKodNI/s1600/03-page.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="275" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/03-page.png" width="640"></a></div>
<br>
<br>
<br>
When the user is actually delivered a landing page, it is highly obfuscated and lacks some of the English based text we see in other exploit kits. Below is a small sample of the obfuscated landing page:<br>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-ulT-hWFeNNs/Vo6bG0KFg8I/AAAAAAAAAUA/CPWebHO430g/s1600/04-page.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/04-page.png" width="640"></a></div>
<br>
<br>
After probing the browser RIG delivers an exploit to the end user. Below is an example of flash exploit that RIG was delivering:<br>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-i53j37Gs91k/Vo6btcchSjI/AAAAAAAAAUI/y2_XSGniqCY/s1600/05-delivery.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="260" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/05-delivery.png" width="640"></a></div>
<br>
<br>
One interesting aspect of RIG is the actual payload is obtained in a separate GET request. We usually see the exploit and payload delivered together or at least delivered in a highly obfuscated manner, not a GET request delivering an actual executable. This is not the case for RIG. Below is a sample of the GET request for the malicious payload:<br>
<br>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-yJn-GoKDmgY/Vo6b4skex2I/AAAAAAAAAUQ/mjuDgTUiu74/s1600/06-payload.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="296" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/06-payload.png" width="640"></a></div>
<br>
<br>
A final interesting aspect to RIG is the naming convention for the payloads on the end system. RIG tries to hide as legitimate services on Windows platforms.&nbsp; Common examples included defsrag.exe, dissdkchk.exe, systemrestore.exe. These are designed to look similar to defrag, diskchk, and the system restore functionality in Windows. However, in all cases these files were dropped in to TEMP folders instead of SYSTEM32 where they would be expected to be located. <br>
<br>
<h3>
The Data</h3>
<br>
RIG exploit kit is steadily compromising users, below is a sample of the data we gathered over two months related to systems serving RIG exploit kit. Users were being driven to RIG through malicious iframes and malvertising. The overall volume of activity was lower, affecting hundreds of users, instead of the thousands we saw impacted by Angler.<br>
<br>
<h4>
Domain Activity</h4>
<br>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-DVDqQDak4as/Vo6cPxe9B9I/AAAAAAAAAUY/VPWd6hulC74/s1600/07-domain-act.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="419" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/07-domain-act.png" width="640"></a></div>
<br>
An analysis of the data associated with RIG revealed some familiar patterns. First was the use of domain shadowing. We found that domain shadowing is currently being used exclusively to host RIG, unlike with Angler, we were unable to find other domain activity during the two month period. This particular use of domain shadowing has interesting aspects related to the subdomains themselves. RIG is using very short string based subdomains ranging from english based words like admin, user, news, and server. Also present was short random strings like qwe21, qwe23, htr43, and htr43. Leveraging the IP addresses found we were able to identify in excess of 7000 subdomains being used by RIG over several months. The activity was spread evenly among those subdomains with few having more than 10 hits in the months of activity and the majority having less than five.<br>
<br>
<h4>
Referers</h4>
<br>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-1gmQ1s_-jLU/Vo6cd9WVcUI/AAAAAAAAAUg/D7kk7enHqZM/s1600/08-referers.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="417" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/08-referers.png" width="640"></a></div>
<br>
RIG, like most exploit kits, is getting users infected via the use of malicious iframes injected in websites and malvertising. There were a couple of interesting things that we observed in the data. First is the use of Google and Bing in the redirection chain. We have seen this before in Nuclear exploit kit and this will provide an extra layer in the chain to help ensure users are getting to the landing pages. The second interesting fact dealt with the volume, there were more than 60 unique referers observed over the two month period but the average volume was low with most having less than five entries.<br>
<br>
<h4>
Exploits</h4>
During the two month period shown here we saw RIG using Flash to compromise systems. The primary exploit being used was CVE-2015-5119. We saw a total of 30 unique hashes being used to compromise systems during the two month period. 70% of those hashes were known by VirusTotal and had some protection from an AV perspective. Despite that users were still being compromised and malicious payloads were being delivered.<br>
<br>
<h4>
Payloads</h4>
The most common exploit kit payload today is overwhelmingly ransomware, RIG however, was decidedly different it was exclusively delivering spambot variants. The most common payload were variants of Tofsee which is a spam botnet. The way these payloads work is by sending large amounts of spam email related to various topics. Spambot payloads were very common to exploit kits several years ago, but most have moved on to payloads that guarantee quick monetization. The use of these payloads by RIG is an interesting differentiator from other exploit kits Talos has been observing.<br>
<br>
Most of the payloads we found had very good detection on VirusTotal with most being detected by more than half of the AV vendors. Again, despite this RIG continues to successfully compromise users that are primarily using versions of Internet Explorer on Windows platforms, based on the user agent information.<br>
<br>
IP Infrastructure<br>
<br>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-RKU1vYovhz8/Vo6cr6uFQbI/AAAAAAAAAUo/ZakrrgWY5Nw/s1600/09-ip-inf.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="417" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/09-ip-inf.png" width="640"></a></div>
<br>
This is the most interesting aspect of our RIG research. We observed 44 different IP addresses delivering some form of RIG. As shown above you can see that on most days there were only one or two IP's actively hosting RIG. <br>
<br>
When we resolved the IP's to the associated ASN we found something surprising. With the exception of a single IP address all IP's belonged to the same ASN (35415).<br>
<br>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-OCppf68xuwQ/Vo6c1RD7dwI/AAAAAAAAAUw/gZm1r_LIabU/s1600/10-asn.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/10-asn.png" width="569"></a></div>
<br>
<br>
This particular ASN is associated with Webzilla, a provider out of Russia. Further investigation actually revealed that all of the addresses were leased to Eurobyte, which is another Russian provider. Talos reached out to both providers giving them the information regarding the hosts that we observed serving RIG. Webzilla responded and identified the customers that were generating the events and blocked the hosts successfully. Below is a graph showing the RIG activity we observed during our investigation:<br>
<br>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-3-IF1dmG5_k/Vo6eKKgn1gI/AAAAAAAAAU4/n2s96Rrq810/s1600/11-rig-act.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="412" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/11-rig-act.png" width="640"></a></div>
<br>
<br>
Monitoring the amount of RIG activity after our notification, we have consistently seen new servers that are being hosted by Eurobyte being stood up and compromising users via RIG. We again reached out to Eurobyte to try and get a response directly from the provider where the malicious activity is being hosted. Despite multiple emails to Eurobyte RIG activity continued as new addresses get stood up after being reported to WebZilla. This underscores one of the major problems we face today, leaf providers. As providers could have multiple downstream leaf providers we find that we routinely have success in dealing with larger providers. These providers help get systems shut down, but without the cooperation of the smaller downstream providers the adversaries just stand up new servers and move on. We were able to inflict some damage to RIG during our investigation, but were unable to actually get the actors behind the activity stopped.<br>
<br>
<h3>
Response</h3>
<br>
Since Eurobyte chose not to acknowledge or respond to our repeated messages we did a little further research on the activity associated with the provider. We worked with our research partners at OpenDNS Labs to get better visibility into the domains that were hosted. Based on our research we found a total of seven class C networks owned by the provider, with one of the class C's serving as their corporate network. Based on the information from OpenDNS provided we found approximately 25,000 domains being hosted on this address space. These domains were heavily leveraging the Russian TLD (.ru), as expected. Three of the class C networks were seen serving RIG during the period. We took the domains that OpenDNS provided and queried them against Taloss automated web reputation. We found that of the six class C address spaces that are being used by Eurobyte five were scored significantly negatively in web reputation. The only exception was one Class C network that was hosting the Russian payment platform e-autopay&lt;dot&gt;com.<br>
<br>
Based on all this information and Eurobytes failure to respond or even acknowledge abuse requests Talos and OpenDNS have decided to blacklist the five suspect subnets for a period of 30 days. After this time Talos and OpenDNS will re-evaluate the provider to determine if an extended blacklisting should occur. This activity will add all the IP's in the address spaces to Cisco's IP and Domain intelligence blacklists. These blacklists are leveraged by multiple Cisco security products and will effectively protect our customers from any activity from this provider. This includes all technologies that consume our reputation services.&nbsp; The advantage of these blacklists, as well as our Advanced Malware Protection with our fantastic AMP line of products is, this detection adapts and changes in real time to the threat.<br>
<br>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-AY5A-TYaWes/Vo6eUZTRxAI/AAAAAAAAAVA/tI-1GKb90uU/s1600/12-opendns.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="201" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/12-opendns.png" width="640"></a></div>
<br>
<br>
Additionally, after reviewing the data provided by OpenDNS we worked with them to make sure that the threat was mitigated from their perspective as well. We found that the majority of the address space was already being blocked by OpenDNS, but we were able to round out the protection and make sure that Eurobyte won't be serving malicious content to both Cisco and OpenDNS customers. For additional information on how OpenDNS has been tracking RIG please see the following <a href="https://labs.opendns.com/2015/11/19/sprank-and-ip-space-monitoring/">blog</a>&nbsp;&nbsp;&nbsp; from the most recent talk at <a href="https://www.youtube.com/watch?v=8edBgoHXnwg">Brucon</a>. <br>
<br>
<h3>
Detection</h3>
<br>
Taloss unparalleled visibility into threat data allows us to automatically adjust protection for our customers based upon real-world visibility into data.&nbsp; Convicting IPs, Domains, affecting the reputation of files in our AMP products, easily turning any of our data collection systems against each other, each updating quickly to protect every single one of Ciscos security customers against the threat in real-time, and continuously.<br>
<br>
<h3>
IOC</h3>
<br>
<h4>
IP Information</h4>
46.30.42.0/24<br>
46.30.43.0/24<br>
46.30.44.0/24<br>
46.30.45.0/24<br>
46.30.46.0/24 <br>
<br>
<h4>
<a href="http://blogs.cisco.com/wp-content/uploads/rig_domains_unique.txt">Domain Information (Text File)</a></h4>
<br>
<h3>
Conclusion</h3>
<br>
The exploit kit problem is larger than just Angler. However, the news related to exploit kits has been largely focused on Angler in 2015, now Angler seems to be on a temporary vacation since the end of 2015. This is expected with the sophistication, scope, and innovation that Angler incorporates. However, as evidenced by this research, it doesn't take innovation and sophistication to compromise users. RIG exploit kit is steadily and consistently compromising users and delivering malicious payloads. Visibility into the other exploit kits is valuable and necessary to help shed light on the behavior and identify the providers they are leveraging to help protect and educate the community.<br>
<br>
Additionally, this research shed light on the problem of leaf providers. Providers are in a tough spot with lots of systems and limited resources. That was one of the driving force behind <a href="http://www.talosintel.com/aspis/">Project Aspis</a>, to help aid providers by providing resources to help them identify and mitigate these threats. It's understandable that malicious activity is going to occur at hosting providers. It's impossible for them to know the intentions of a customer when they are purchasing systems. At the same time when a provider is notified of malicious activity it is their responsibility to at least acknowledge the abuse and work to validate and, if legitimate, take the system offline. Webzilla did just that in our experience, but Eurobyte has not. This lack of response lead Talos to make the decision to blacklist large portions of the provider's network to ensure that our customers are protected since reporting the abuse alone is not enough.<br>
<br>
<h3>
Coverage</h3>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-8SQMaYvEu5U/Vo6guoSW6cI/AAAAAAAAAVM/vBriFRdAuYQ/s1600/Screen%2BShot%2B2016-01-07%2Bat%2B11.29.57%2BAM.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="204" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/Screen+Shot+2016-01-07+at+11.29.57+AM.png" width="320"></a></div>
<br>
Advanced Malware Protection (<a href="http://www.cisco.com/c/en/us/support/security/amp-firepower-software-license/tsd-products-support-series-home.html">AMP</a>) is ideally suited to prevent the execution of the malware used by these threat actors.<br>
<br>
<a href="http://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html">CWS</a> or <a href="http://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html">WSA</a> web scanning prevents access to malicious websites and detects malware used in these attacks.<br>
<br>
The Network Security protection of <a href="http://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html">IPS</a> and <a href="http://www.cisco.com/c/en/us/products/security/asa-next-generation-firewall-services/index.html">NGFW</a> have up-to-date signatures to detect malicious network activity by threat actors.
<div style="clear: both;"></div>
</div>
<div class="post-footer">
<div class="post-footer-line post-footer-line-1">
<span class="post-author vcard">
Posted by
<span class="fn" itemprop="author" itemscope="itemscope" itemtype="http://schema.org/Person">
<meta content="https://www.blogger.com/profile/12206979422726316011" itemprop="url">
<a class="g-profile" href="https://www.blogger.com/profile/12206979422726316011" rel="author" title="author profile" data-gapiscan="true" data-onload="true" data-gapiattached="true">
<span itemprop="name">William Largent</span>
</a>
</span>
</span>
<span class="post-timestamp">
at
<meta content="http://blog.talosintel.com/2016/01/rigging-compromise.html" itemprop="url">
<a class="timestamp-link" href="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit.html" rel="bookmark" title="permanent link"><abbr class="published" itemprop="datePublished" title="2016-01-07T10:52:00-05:00">10:52 AM</abbr></a>
</span>
<span class="reaction-buttons">
</span>
<span class="post-comment-link">
</span>
<span class="post-backlinks post-comment-link">
</span>
<span class="post-icons">
<span class="item-control blog-admin pid-401639434">
<a href="https://www.blogger.com/post-edit.g?blogID=1029833275466591797&amp;postID=1476026378647980857&amp;from=pencil" title="Edit Post">
<img alt="" class="icon-action" height="18" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon18_edit_allbkg.gif" width="18">
</a>
</span>
</span>
<div class="post-share-buttons goog-inline-block">
</div>
</div>
<div class="post-footer-line post-footer-line-2">
<span class="post-labels">
Labels:
<a href="http://blog.talosintel.com/search/label/exploit%20kit" rel="tag">exploit kit</a>,
<a href="http://blog.talosintel.com/search/label/Malware" rel="tag">Malware</a>,
<a href="http://blog.talosintel.com/search/label/RIG" rel="tag">RIG</a>,
<a href="http://blog.talosintel.com/search/label/Threat%20Research" rel="tag">Threat Research</a>
</span>
</div>
<div class="post-footer-line post-footer-line-3">
<div style="text-align: left;">
<div class="social-media-share">
<div class="social-call"><span>Share This Post</span></div>
<a class="facebook" href="http://www.facebook.com/sharer.php?u=http://blog.talosintel.com/2016/01/rigging-compromise.html&amp;t=Rigging%20compromise%20-%20RIG%20Exploit%20Kit" rel="nofollow" target="_blank" title="Share This On Facebook">
<img alt="Facebook share" border="0" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon_fb-share_grey.svg">
</a>
<a class="twitter" href="https://twitter.com/share?url=http://blog.talosintel.com/2016/01/rigging-compromise.html&amp;title=Rigging%20compromise%20-%20RIG%20Exploit%20Kit" rel="nofollow" target="_blank" title="Tweet This">
<img alt="Twitter share" border="0" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon_tw-share_grey.svg">
</a>
<a class="reddit" href="http://www.reddit.com/submit?url=http://blog.talosintel.com/2016/01/rigging-compromise.html&amp;title=Rigging%20compromise%20-%20RIG%20Exploit%20Kit" rel="nofollow" target="_blank" title="Reddit This">
<img alt="Reddit share" border="0" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon_re-share_grey.svg">
</a>
<a href="mailto:?body=http://blog.talosintel.com/2016/01/rigging-compromise.html&amp;title=Rigging%20compromise%20-%20RIG%20Exploit%20Kit">
<img alt="Email This" border="0" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon_em-share_grey.svg">
</a>
</div>
</div>
<span class="post-location">
</span>
</div>
</div>
</div>
<div class="comments" id="comments">
<a name="comments"></a>
<h4>2 comments:</h4>
<div class="comments-content">
<script async="async" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/comments.js" type="text/javascript"></script>
<script type="text/javascript">
(function() {
var items = [{'id': '6078340197179772689', 'body': 'As it happens, I\46#39;m just running an analysis on sites hosted by Eurobyte LLC either currently on in the past, using a somewhat different data set. So far, out of 7500 sites analysed, 35% are tagged by Google as being malicious. This probably means that many of the other 65% are also bad, but they just haven\46#39;t been tagged.\74br /\76\74br /\76The Eurobyte LLC range is actually a bit bigger than you specify, they rent the entire 46.30.40.0/21 range from Webzilla. The /24s you are missing are:\74br /\76\74br /\07646.30.40.0/24\74br /\07646.30.41.0/24\74br /\07646.30.47.0/24\74br /\76\74br /\76Webzilla also provide services for the fairly notorious McHost.ru in the 178.208.64.0/19 range.', 'timestamp': '1452381311833', 'permalink': 'http://blog.talosintel.com/2016/01/rigging-compromise.html?showComment\0751452381311833#c6078340197179772689', 'author': {'name': 'Conrad Longmore', 'profileUrl': 'https://www.blogger.com/profile/11751822299235747323'}, 'displayTime': 'January 9, 2016 at 6:15 PM', 'deleteclass': 'item-control blog-admin pid-1981235959'}, {'id': '8490361460388640749', 'parentId': '6078340197179772689', 'body': 'Thanks for the info Conrad. We chose not to block several of the ranges since they were either hosting legitimate activity or were the corporate address space for Eurobyte.', 'timestamp': '1452536697231', 'permalink': 'http://blog.talosintel.com/2016/01/rigging-compromise.html?showComment\0751452536697231#c8490361460388640749', 'author': {'name': 'Nick Biasini', 'profileUrl': 'https://www.blogger.com/profile/11420644688145888259'}, 'displayTime': 'January 11, 2016 at 1:24 PM', 'deleteclass': 'item-control blog-admin pid-155477952'}];
var msgs = {'loadMore': 'Load more...', 'loading': 'Loading...', 'loaded': 'No more!', 'addComment': 'Add comment', 'reply': 'Reply', 'delete': 'Delete'};
var config = {'blogId': '1029833275466591797', 'postId': '1476026378647980857', 'feed': 'http://blog.talosintel.com/feeds/1476026378647980857/comments/default', 'authorName': 'William Largent', 'authorUrl': 'https://www.blogger.com/profile/12206979422726316011', 'baseUri': 'https://www.blogger.com', 'maxThreadDepth': 2};
// <![CDATA[
var cursor = null;
if (items && items.length > 0) {
cursor = parseInt(items[items.length - 1].timestamp) + 1;
}
var bodyFromEntry = function(entry) {
if (entry.gd$extendedProperty) {
for (var k in entry.gd$extendedProperty) {
if (entry.gd$extendedProperty[k].name == 'blogger.contentRemoved') {
return '<span class="deleted-comment">' + entry.content.$t + '</span>';
}
}
}
return entry.content.$t;
}
var parse = function(data) {
cursor = null;
var comments = [];
if (data && data.feed && data.feed.entry) {
for (var i = 0, entry; entry = data.feed.entry[i]; i++) {
var comment = {};
// comment ID, parsed out of the original id format
var id = /blog-(\d+).post-(\d+)/.exec(entry.id.$t);
comment.id = id ? id[2] : null;
comment.body = bodyFromEntry(entry);
comment.timestamp = Date.parse(entry.published.$t) + '';
if (entry.author && entry.author.constructor === Array) {
var auth = entry.author[0];
if (auth) {
comment.author = {
name: (auth.name ? auth.name.$t : undefined),
profileUrl: (auth.uri ? auth.uri.$t : undefined),
avatarUrl: (auth.gd$image ? auth.gd$image.src : undefined)
};
}
}
if (entry.link) {
if (entry.link[2]) {
comment.link = comment.permalink = entry.link[2].href;
}
if (entry.link[3]) {
var pid = /.*comments\/default\/(\d+)\?.*/.exec(entry.link[3].href);
if (pid && pid[1]) {
comment.parentId = pid[1];
}
}
}
comment.deleteclass = 'item-control blog-admin';
if (entry.gd$extendedProperty) {
for (var k in entry.gd$extendedProperty) {
if (entry.gd$extendedProperty[k].name == 'blogger.itemClass') {
comment.deleteclass += ' ' + entry.gd$extendedProperty[k].value;
} else if (entry.gd$extendedProperty[k].name == 'blogger.displayTime') {
comment.displayTime = entry.gd$extendedProperty[k].value;
}
}
}
comments.push(comment);
}
}
return comments;
};
var paginator = function(callback) {
if (hasMore()) {
var url = config.feed + '?alt=json&v=2&orderby=published&reverse=false&max-results=50';
if (cursor) {
url += '&published-min=' + new Date(cursor).toISOString();
}
window.bloggercomments = function(data) {
var parsed = parse(data);
cursor = parsed.length < 50 ? null
: parseInt(parsed[parsed.length - 1].timestamp) + 1
callback(parsed);
window.bloggercomments = null;
}
url += '&callback=bloggercomments';
var script = document.createElement('script');
script.type = 'text/javascript';
script.src = url;
document.getElementsByTagName('head')[0].appendChild(script);
}
};
var hasMore = function() {
return !!cursor;
};
var getMeta = function(key, comment) {
if ('iswriter' == key) {
var matches = !!comment.author
&& comment.author.name == config.authorName
&& comment.author.profileUrl == config.authorUrl;
return matches ? 'true' : '';
} else if ('deletelink' == key) {
return config.baseUri + '/delete-comment.g?blogID='
+ config.blogId + '&postID=' + comment.id;
} else if ('deleteclass' == key) {
return comment.deleteclass;
}
return '';
};
var replybox = null;
var replyUrlParts = null;
var replyParent = undefined;
var onReply = function(commentId, domId) {
if (replybox == null) {
// lazily cache replybox, and adjust to suit this style:
replybox = document.getElementById('comment-editor');
if (replybox != null) {
replybox.height = '250px';
replybox.style.display = 'block';
replyUrlParts = replybox.src.split('#');
}
}
if (replybox && (commentId !== replyParent)) {
replybox.src = '';
document.getElementById(domId).insertBefore(replybox, null);
replybox.src = replyUrlParts[0]
+ (commentId ? '&parentID=' + commentId : '')
+ '#' + replyUrlParts[1];
replyParent = commentId;
}
};
var hash = (window.location.hash || '#').substring(1);
var startThread, targetComment;
if (/^comment-form_/.test(hash)) {
startThread = hash.substring('comment-form_'.length);
} else if (/^c[0-9]+$/.test(hash)) {
targetComment = hash.substring(1);
}
// Configure commenting API:
var configJso = {
'maxDepth': config.maxThreadDepth
};
var provider = {
'id': config.postId,
'data': items,
'loadNext': paginator,
'hasMore': hasMore,
'getMeta': getMeta,
'onReply': onReply,
'rendered': true,
'initComment': targetComment,
'initReplyThread': startThread,
'config': configJso,
'messages': msgs
};
var render = function() {
if (window.goog && window.goog.comments) {
var holder = document.getElementById('comment-holder');
window.goog.comments.render(holder, provider);
}
};
// render now, or queue to render when library loads:
if (window.goog && window.goog.comments) {
render();
} else {
window.goog = window.goog || {};
window.goog.comments = window.goog.comments || {};
window.goog.comments.loadQueue = window.goog.comments.loadQueue || [];
window.goog.comments.loadQueue.push(render);
}
})();
// ]]>
</script>
<div id="comment-holder">
<div id="bc_0_3C" kind="c"><div id="bc_0_3CT"><div id="bc_0_2T" class="comment-thread" kind="r" t="0" u="0"><ol id="bc_0_2TB"><li id="bc_0_1B" class="comment" kind="b"><div class="avatar-image-container"><img src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/anon36.png"></div><div id="c6078340197179772689" class="comment-block"><div id="bc_0_1M" class="comment-header" kind="m"><cite class="user"><a rel="nofollow" href="https://www.blogger.com/profile/11751822299235747323">Conrad Longmore</a></cite><span class="icon user"></span><span class="datetime secondary-text"><a rel="nofollow" href="http://blog.talosintel.com/2016/01/rigging-compromise.html?showComment=1452381311833#c6078340197179772689">January 9, 2016 at 6:15 PM</a></span></div><p id="bc_0_1MC" class="comment-content">As it happens, I'm just running an analysis on sites hosted by Eurobyte LLC either currently on in the past, using a somewhat different data set. So far, out of 7500 sites analysed, 35% are tagged by Google as being malicious. This probably means that many of the other 65% are also bad, but they just haven't been tagged.<br><br>The Eurobyte LLC range is actually a bit bigger than you specify, they rent the entire 46.30.40.0/21 range from Webzilla. The /24s you are missing are:<br><br>46.30.40.0/24<br>46.30.41.0/24<br>46.30.47.0/24<br><br>Webzilla also provide services for the fairly notorious McHost.ru in the 178.208.64.0/19 range.</p><span id="bc_0_1MN" class="comment-actions secondary-text" kind="m"><a kind="i" href="javascript:;" target="_self" o="r">Reply</a><span class="item-control blog-admin pid-1981235959"><a o="d" target="_self" href="https://www.blogger.com/delete-comment.g?blogID=1029833275466591797&amp;postID=6078340197179772689">Delete</a></span></span></div><div id="bc_0_1BR" class="comment-replies"><span id="bc_0_1b+seedmAPMD" kind="d"><div id="bc_0_0T" class="comment-thread inline-thread" kind="t" t="0" u="0"><span id="bc_0_0TT" class="thread-toggle thread-expanded" kind="g"><span id="bc_0_0TA" class="thread-arrow"></span><span id="bc_0_0TN" class="thread-count"><span id="bc_0_0TNT" style="display: none;"></span><span id="bc_0_0TNU" style="display: none;"></span><a href="javascript:;" target="_self">Replies</a><div id="bc_0_0TD" class="thread-dropContainer thread-expanded"><span class="thread-drop"></span></div></span></span><ol id="bc_0_0TC" class="thread-chrome thread-expanded"><div><li id="bc_0_0B" class="comment" kind="b"><div class="avatar-image-container"><img src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/anon36.png"></div><div id="c8490361460388640749" class="comment-block"><div id="bc_0_0M" class="comment-header" kind="m"><cite class="user"><a rel="nofollow" href="https://www.blogger.com/profile/11420644688145888259">Nick Biasini</a></cite><span class="icon user"></span><span class="datetime secondary-text"><a rel="nofollow" href="http://blog.talosintel.com/2016/01/rigging-compromise.html?showComment=1452536697231#c8490361460388640749">January 11, 2016 at 1:24 PM</a></span></div><p id="bc_0_0MC" class="comment-content">Thanks for the info Conrad. We chose not to block several of the ranges since they were either hosting legitimate activity or were the corporate address space for Eurobyte.</p><span id="bc_0_0MN" class="comment-actions secondary-text" kind="m"><span class="item-control blog-admin pid-155477952"><a o="d" target="_self" href="https://www.blogger.com/delete-comment.g?blogID=1029833275466591797&amp;postID=8490361460388640749">Delete</a></span></span></div><div id="bc_0_0BR" class="comment-replies"></div><div id="bc_0_0B_box" class="comment-replybox-single"></div></li></div><div id="bc_0_0I" class="continue" kind="ci"><a href="javascript:;" target="_self">Reply</a></div></ol><div id="bc_0_0T_box" class="comment-replybox-thread"></div></div></span></div><div id="bc_0_1B_box" class="comment-replybox-single"></div></li></ol><div id="bc_0_2I" class="continue" kind="ci" style="display: none;"><a href="javascript:;" target="_self">Add comment</a></div><div id="bc_0_2T_box" class="comment-replybox-thread"><iframe allowtransparency="true" class="blogger-iframe-colorize blogger-comment-from-post" frameborder="0" height="250px" id="comment-editor" name="comment-editor" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/comment-iframe.html" width="100%" style="display: block;" data-resized="true"></iframe></div><div id="bc_0_2L" class="loadmore loaded" kind="rb"><a href="javascript:;" target="_self">Load more...</a></div></div></div></div></div>
</div>
<p class="comment-footer">
</p><div class="comment-form">
<a name="comment-form"></a>
<h4 id="comment-post-message">Post a Comment</h4>
<p>
</p>
<a href="https://www.blogger.com/comment-iframe.g?blogID=1029833275466591797&amp;postID=1476026378647980857&amp;blogspotRpcToken=7873976" id="comment-editor-src"></a>
<script type="text/javascript" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/1664944048-comment_from_post_iframe.js"></script>
<script type="text/javascript">
BLOG_CMT_createIframe('https://www.blogger.com/rpc_relay.html');
</script>
</div>
<p></p>
<div id="backlinks-container">
<div id="Blog1_backlinks-container">
</div>
</div>
</div>
</div>
</div></div>
</div>
<div class="blog-pager" id="blog-pager">
<span id="blog-pager-newer-link">
<a class="blog-pager-newer-link" href="http://blog.talosintel.com/2016/01/ms-tuesday.html" id="Blog1_blog-pager-newer-link" title="Newer Post">Newer Post</a>
</span>
<span id="blog-pager-older-link">
<a class="blog-pager-older-link" href="http://blog.talosintel.com/2015/12/pro-pos.html" id="Blog1_blog-pager-older-link" title="Older Post">Older Post</a>
</span>
<a class="home-link" href="http://blog.talosintel.com/">Home</a>
</div>
<div class="clear"></div>
<div class="post-feeds">
<div class="feed-links">
Subscribe to:
<a class="feed-link" href="http://blog.talosintel.com/feeds/1476026378647980857/comments/default" target="_blank" type="application/atom+xml">Post Comments (Atom)</a>
</div>
</div>
<script type="text/javascript">window.___gcfg = {'lang': 'en'};</script>
</div></div>
</div>
<div id="sidebar-wrapper">
<div class="sidebar section" id="sidebar"><div class="widget CustomSearch" id="CustomSearch1">
<h2 class="title">Search The Blog</h2>
<div class="widget-content">
<div id="CustomSearch1_form"><form class="gsc-search-box" accept-charset="utf-8"><table cellspacing="0" cellpadding="0" class="gsc-search-box"><tbody><tr><td class="gsc-input"><input autocomplete="off" type="text" size="10" class=" gsc-input" name="search" title="search"><input type="hidden" name="bgresponse" id="bgresponse"></td><td class="gsc-search-button"><input type="submit" value="Search" class="gsc-search-button" title="search"></td></tr></tbody></table><table cellspacing="0" cellpadding="0" class="gsc-branding"><tbody><tr style="display: none;"><td class="gsc-branding-user-defined"></td><td class="gsc-branding-text"><div class="gsc-branding-text">powered by</div></td><td class="gsc-branding-img-noclear"><img src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/small-logo.png" class="gsc-branding-img-noclear"></td></tr></tbody></table></form></div>
</div>
<style type="text/css">
#uds-searchControl .gs-result .gs-title,
#uds-searchControl .gs-result .gs-title *,
#uds-searchControl .gsc-results .gsc-trailing-more-results,
#uds-searchControl .gsc-results .gsc-trailing-more-results * {
color:#00c;
}
#uds-searchControl .gs-result .gs-title a:visited,
#uds-searchControl .gs-result .gs-title a:visited * {
color:#00c;
}
#uds-searchControl .gs-relativePublishedDate,
#uds-searchControl .gs-publishedDate {
color: #6f6f6f;
}
#uds-searchControl .gs-result a.gs-visibleUrl,
#uds-searchControl .gs-result .gs-visibleUrl {
color: #00c;
}
#uds-searchControl .gsc-results {
border-color: #6f6f6f;
background-color: #fff;
}
#uds-searchControl .gsc-tabhActive {
border-color: #6f6f6f;
border-top-color: #6f6f6f;
background-color: #fff;
color: #000;
}
#uds-searchControl .gsc-tabhInactive {
border-color: #6f6f6f;
background-color: transparent;
color: #00c;
}
#uds-searchClearResults {
border-color: #6f6f6f;
}
#uds-searchClearResults:hover {
border-color: #6f6f6f;
}
#uds-searchControl .gsc-cursor-page {
color: #00c;
}
#uds-searchControl .gsc-cursor-current-page {
color: #000;
}
</style>
<div class="clear"></div>
<span class="widget-item-control">
<span class="item-control blog-admin">
<a class="quickedit" href="http://www.blogger.com/rearrange?blogID=1029833275466591797&amp;widgetType=CustomSearch&amp;widgetId=CustomSearch1&amp;action=editWidget&amp;sectionId=sidebar" onclick="return _WidgetManager._PopupConfig(document.getElementById(&quot;CustomSearch1&quot;));" target="configCustomSearch1" title="Edit">
<img alt="" height="18" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon18_wrench_allbkg.png" width="18">
</a>
</span>
</span>
<div class="clear"></div>
</div><div class="widget Subscribe" id="Subscribe1">
<div style="white-space:nowrap">
<h2 class="title">Subscribe To Our Feed</h2>
<div class="widget-content">
<div>
<div class="feed-reader-links subscribe">
<a class="feed-reader-link" href="http://blog.talosintel.com/feeds/posts/default" target="_blank">
<img align="absmiddle" class="feed-icon" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon_rss.svg">
Posts
</a>
</div>
</div>
<div>
<div class="feed-reader-links subscribe">
<a class="feed-reader-link" href="http://blog.talosintel.com/feeds/1476026378647980857/comments/default" target="_blank">
<img align="absmiddle" class="feed-icon" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon_rss.svg">
Comments
</a>
</div>
</div>
<div style="clear:both"></div>
</div>
</div>
<div class="clear"></div>
<span class="widget-item-control">
<span class="item-control blog-admin">
<a class="quickedit" href="http://www.blogger.com/rearrange?blogID=1029833275466591797&amp;widgetType=Subscribe&amp;widgetId=Subscribe1&amp;action=editWidget&amp;sectionId=sidebar" onclick="return _WidgetManager._PopupConfig(document.getElementById(&quot;Subscribe1&quot;));" target="configSubscribe1" title="Edit">
<img alt="" height="18" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon18_wrench_allbkg.png" width="18">
</a>
</span>
</span>
<div class="clear"></div>
</div><div class="widget BlogArchive" id="BlogArchive1">
<h2>Blog Archive</h2>
<div class="widget-content">
<div id="ArchiveList">
<div id="BlogArchive1_ArchiveList">
<ul class="hierarchy">
<li class="archivedate expanded">
<a class="toggle" href="javascript:void(0)">
<span class="zippy toggle-open">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/search?updated-min=2016-01-01T00:00:00-05:00&amp;updated-max=2017-01-01T00:00:00-05:00&amp;max-results=3">
2016
</a>
<span class="post-count" dir="ltr">(3)</span>
<ul class="hierarchy">
<li class="archivedate expanded">
<a class="toggle" href="javascript:void(0)">
<span class="zippy toggle-open">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2016_01_01_archive.html">
January
</a>
<span class="post-count" dir="ltr">(3)</span>
<ul class="posts">
<li><a href="http://blog.talosintel.com/2016/01/haystack.html">Research Spotlight: Needles in a Haystack</a></li>
<li><a href="http://blog.talosintel.com/2016/01/ms-tuesday.html">Microsoft Patch Tuesday - January 2016</a></li>
<li><a href="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit.html">Rigging compromise - RIG Exploit Kit</a></li>
</ul>
</li>
</ul>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/search?updated-min=2015-01-01T00:00:00-05:00&amp;updated-max=2016-01-01T00:00:00-05:00&amp;max-results=50">
2015
</a>
<span class="post-count" dir="ltr">(62)</span>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2015_12_01_archive.html">
December
</a>
<span class="post-count" dir="ltr">(3)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2015_11_01_archive.html">
November
</a>
<span class="post-count" dir="ltr">(3)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2015_10_01_archive.html">
October
</a>
<span class="post-count" dir="ltr">(6)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2015_09_01_archive.html">
September
</a>
<span class="post-count" dir="ltr">(6)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2015_08_01_archive.html">
August
</a>
<span class="post-count" dir="ltr">(5)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2015_07_01_archive.html">
July
</a>
<span class="post-count" dir="ltr">(4)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2015_06_01_archive.html">
June
</a>
<span class="post-count" dir="ltr">(6)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2015_05_01_archive.html">
May
</a>
<span class="post-count" dir="ltr">(3)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2015_04_01_archive.html">
April
</a>
<span class="post-count" dir="ltr">(7)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2015_03_01_archive.html">
March
</a>
<span class="post-count" dir="ltr">(8)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2015_02_01_archive.html">
February
</a>
<span class="post-count" dir="ltr">(7)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2015_01_01_archive.html">
January
</a>
<span class="post-count" dir="ltr">(4)</span>
</li>
</ul>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/search?updated-min=2014-01-01T00:00:00-05:00&amp;updated-max=2015-01-01T00:00:00-05:00&amp;max-results=50">
2014
</a>
<span class="post-count" dir="ltr">(67)</span>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2014_12_01_archive.html">
December
</a>
<span class="post-count" dir="ltr">(4)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2014_11_01_archive.html">
November
</a>
<span class="post-count" dir="ltr">(5)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2014_10_01_archive.html">
October
</a>
<span class="post-count" dir="ltr">(6)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2014_09_01_archive.html">
September
</a>
<span class="post-count" dir="ltr">(10)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2014_08_01_archive.html">
August
</a>
<span class="post-count" dir="ltr">(4)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2014_07_01_archive.html">
July
</a>
<span class="post-count" dir="ltr">(3)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2014_06_01_archive.html">
June
</a>
<span class="post-count" dir="ltr">(6)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2014_05_01_archive.html">
May
</a>
<span class="post-count" dir="ltr">(4)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2014_04_01_archive.html">
April
</a>
<span class="post-count" dir="ltr">(10)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2014_03_01_archive.html">
March
</a>
<span class="post-count" dir="ltr">(4)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2014_02_01_archive.html">
February
</a>
<span class="post-count" dir="ltr">(3)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2014_01_01_archive.html">
January
</a>
<span class="post-count" dir="ltr">(8)</span>
</li>
</ul>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/search?updated-min=2013-01-01T00:00:00-05:00&amp;updated-max=2014-01-01T00:00:00-05:00&amp;max-results=30">
2013
</a>
<span class="post-count" dir="ltr">(30)</span>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2013_12_01_archive.html">
December
</a>
<span class="post-count" dir="ltr">(3)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2013_11_01_archive.html">
November
</a>
<span class="post-count" dir="ltr">(2)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2013_10_01_archive.html">
October
</a>
<span class="post-count" dir="ltr">(5)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2013_09_01_archive.html">
September
</a>
<span class="post-count" dir="ltr">(2)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2013_08_01_archive.html">
August
</a>
<span class="post-count" dir="ltr">(2)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2013_07_01_archive.html">
July
</a>
<span class="post-count" dir="ltr">(3)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2013_06_01_archive.html">
June
</a>
<span class="post-count" dir="ltr">(1)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2013_05_01_archive.html">
May
</a>
<span class="post-count" dir="ltr">(2)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2013_04_01_archive.html">
April
</a>
<span class="post-count" dir="ltr">(1)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2013_03_01_archive.html">
March
</a>
<span class="post-count" dir="ltr">(1)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2013_02_01_archive.html">
February
</a>
<span class="post-count" dir="ltr">(3)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2013_01_01_archive.html">
January
</a>
<span class="post-count" dir="ltr">(5)</span>
</li>
</ul>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/search?updated-min=2012-01-01T00:00:00-05:00&amp;updated-max=2013-01-01T00:00:00-05:00&amp;max-results=50">
2012
</a>
<span class="post-count" dir="ltr">(53)</span>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2012_12_01_archive.html">
December
</a>
<span class="post-count" dir="ltr">(3)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2012_11_01_archive.html">
November
</a>
<span class="post-count" dir="ltr">(1)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2012_10_01_archive.html">
October
</a>
<span class="post-count" dir="ltr">(2)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2012_09_01_archive.html">
September
</a>
<span class="post-count" dir="ltr">(6)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2012_08_01_archive.html">
August
</a>
<span class="post-count" dir="ltr">(7)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2012_07_01_archive.html">
July
</a>
<span class="post-count" dir="ltr">(7)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2012_06_01_archive.html">
June
</a>
<span class="post-count" dir="ltr">(4)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2012_05_01_archive.html">
May
</a>
<span class="post-count" dir="ltr">(6)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2012_04_01_archive.html">
April
</a>
<span class="post-count" dir="ltr">(5)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2012_03_01_archive.html">
March
</a>
<span class="post-count" dir="ltr">(3)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2012_02_01_archive.html">
February
</a>
<span class="post-count" dir="ltr">(7)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2012_01_01_archive.html">
January
</a>
<span class="post-count" dir="ltr">(2)</span>
</li>
</ul>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/search?updated-min=2011-01-01T00:00:00-05:00&amp;updated-max=2012-01-01T00:00:00-05:00&amp;max-results=23">
2011
</a>
<span class="post-count" dir="ltr">(23)</span>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2011_12_01_archive.html">
December
</a>
<span class="post-count" dir="ltr">(1)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2011_11_01_archive.html">
November
</a>
<span class="post-count" dir="ltr">(4)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2011_10_01_archive.html">
October
</a>
<span class="post-count" dir="ltr">(3)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2011_09_01_archive.html">
September
</a>
<span class="post-count" dir="ltr">(1)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2011_08_01_archive.html">
August
</a>
<span class="post-count" dir="ltr">(2)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2011_07_01_archive.html">
July
</a>
<span class="post-count" dir="ltr">(3)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2011_06_01_archive.html">
June
</a>
<span class="post-count" dir="ltr">(1)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2011_05_01_archive.html">
May
</a>
<span class="post-count" dir="ltr">(2)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2011_04_01_archive.html">
April
</a>
<span class="post-count" dir="ltr">(1)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2011_03_01_archive.html">
March
</a>
<span class="post-count" dir="ltr">(2)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2011_02_01_archive.html">
February
</a>
<span class="post-count" dir="ltr">(1)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2011_01_01_archive.html">
January
</a>
<span class="post-count" dir="ltr">(2)</span>
</li>
</ul>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/search?updated-min=2010-01-01T00:00:00-05:00&amp;updated-max=2011-01-01T00:00:00-05:00&amp;max-results=50">
2010
</a>
<span class="post-count" dir="ltr">(94)</span>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2010_12_01_archive.html">
December
</a>
<span class="post-count" dir="ltr">(4)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2010_11_01_archive.html">
November
</a>
<span class="post-count" dir="ltr">(2)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2010_10_01_archive.html">
October
</a>
<span class="post-count" dir="ltr">(4)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2010_09_01_archive.html">
September
</a>
<span class="post-count" dir="ltr">(7)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2010_08_01_archive.html">
August
</a>
<span class="post-count" dir="ltr">(9)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2010_07_01_archive.html">
July
</a>
<span class="post-count" dir="ltr">(11)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2010_06_01_archive.html">
June
</a>
<span class="post-count" dir="ltr">(12)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2010_05_01_archive.html">
May
</a>
<span class="post-count" dir="ltr">(5)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2010_04_01_archive.html">
April
</a>
<span class="post-count" dir="ltr">(12)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2010_03_01_archive.html">
March
</a>
<span class="post-count" dir="ltr">(10)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2010_02_01_archive.html">
February
</a>
<span class="post-count" dir="ltr">(8)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2010_01_01_archive.html">
January
</a>
<span class="post-count" dir="ltr">(10)</span>
</li>
</ul>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/search?updated-min=2009-01-01T00:00:00-05:00&amp;updated-max=2010-01-01T00:00:00-05:00&amp;max-results=50">
2009
</a>
<span class="post-count" dir="ltr">(146)</span>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2009_12_01_archive.html">
December
</a>
<span class="post-count" dir="ltr">(14)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2009_11_01_archive.html">
November
</a>
<span class="post-count" dir="ltr">(10)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2009_10_01_archive.html">
October
</a>
<span class="post-count" dir="ltr">(12)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2009_09_01_archive.html">
September
</a>
<span class="post-count" dir="ltr">(13)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2009_08_01_archive.html">
August
</a>
<span class="post-count" dir="ltr">(9)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2009_07_01_archive.html">
July
</a>
<span class="post-count" dir="ltr">(19)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2009_06_01_archive.html">
June
</a>
<span class="post-count" dir="ltr">(11)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2009_05_01_archive.html">
May
</a>
<span class="post-count" dir="ltr">(13)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2009_04_01_archive.html">
April
</a>
<span class="post-count" dir="ltr">(10)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2009_03_01_archive.html">
March
</a>
<span class="post-count" dir="ltr">(11)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2009_02_01_archive.html">
February
</a>
<span class="post-count" dir="ltr">(13)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2009_01_01_archive.html">
January
</a>
<span class="post-count" dir="ltr">(11)</span>
</li>
</ul>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/search?updated-min=2008-01-01T00:00:00-05:00&amp;updated-max=2009-01-01T00:00:00-05:00&amp;max-results=41">
2008
</a>
<span class="post-count" dir="ltr">(41)</span>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2008_12_01_archive.html">
December
</a>
<span class="post-count" dir="ltr">(12)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2008_11_01_archive.html">
November
</a>
<span class="post-count" dir="ltr">(6)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2008_10_01_archive.html">
October
</a>
<span class="post-count" dir="ltr">(10)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2008_09_01_archive.html">
September
</a>
<span class="post-count" dir="ltr">(7)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2008_08_01_archive.html">
August
</a>
<span class="post-count" dir="ltr">(3)</span>
</li>
</ul>
<ul class="hierarchy">
<li class="archivedate collapsed">
<a class="toggle" href="javascript:void(0)">
<span class="zippy">
&nbsp;
</span>
</a>
<a class="post-count-link" href="http://blog.talosintel.com/2008_05_01_archive.html">
May
</a>
<span class="post-count" dir="ltr">(3)</span>
</li>
</ul>
</li>
</ul>
</div>
</div>
<div class="clear"></div>
<span class="widget-item-control">
<span class="item-control blog-admin">
<a class="quickedit" href="http://www.blogger.com/rearrange?blogID=1029833275466591797&amp;widgetType=BlogArchive&amp;widgetId=BlogArchive1&amp;action=editWidget&amp;sectionId=sidebar" onclick="return _WidgetManager._PopupConfig(document.getElementById(&quot;BlogArchive1&quot;));" target="configBlogArchive1" title="Edit">
<img alt="" height="18" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon18_wrench_allbkg.png" width="18">
</a>
</span>
</span>
<div class="clear"></div>
</div>
</div><div class="widget BlogList" id="BlogList1">
<h2 class="title">Recommended Blogs</h2>
<div class="widget-content">
<div class="blog-list-container" id="BlogList1_container">
<ul id="BlogList1_blogs">
<li style="display: block;">
<div class="blog-icon">
</div>
<div class="blog-content">
<div class="blog-title">
<a href="http://blogs.cisco.com/" target="_blank">
Cisco Blog</a>
</div>
<div class="item-content">
<span class="item-title">
<a href="http://blogs.cisco.com/partner/cisco-partner-weekly-rewind-january-22-2016" target="_blank">
Cisco Partner Weekly Rewind January 22, 2016</a>
</span>
</div>
</div>
<div style="clear: both;"></div>
</li>
<li style="display: block;">
<div class="blog-icon">
</div>
<div class="blog-content">
<div class="blog-title">
<a href="http://blog.snort.org/" target="_blank">
Snort Blog</a>
</div>
<div class="item-content">
<span class="item-title">
<a href="http://feedproxy.google.com/~r/Snort/~3/yQE5HLUrqug/snort-subscriber-rule-set-update-for_21.html" target="_blank">
Snort Subscriber Rule Set Update for 01/21/2016</a>
</span>
</div>
</div>
<div style="clear: both;"></div>
</li>
<li style="display: block;">
<div class="blog-icon">
</div>
<div class="blog-content">
<div class="blog-title">
<a href="http://blog.clamav.net/" target="_blank">
ClamAV® blog</a>
</div>
<div class="item-content">
<span class="item-title">
<a href="http://feedproxy.google.com/~r/Clamav/~3/VYtOu9B9Dq8/clamav-099-release-is-largest-ever.html" target="_blank">
ClamAV 0.99 Release is the largest ever!</a>
</span>
</div>
</div>
<div style="clear: both;"></div>
</li>
</ul>
<div class="clear"></div>
<span class="widget-item-control">
<span class="item-control blog-admin">
<a class="quickedit" href="http://www.blogger.com/rearrange?blogID=1029833275466591797&amp;widgetType=BlogList&amp;widgetId=BlogList1&amp;action=editWidget&amp;sectionId=sidebar" onclick="return _WidgetManager._PopupConfig(document.getElementById(&quot;BlogList1&quot;));" target="configBlogList1" title="Edit">
<img alt="" height="18" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/icon18_wrench_allbkg.png" width="18">
</a>
</span>
</span>
<div class="clear"></div>
</div>
</div>
</div></div>
</div>
</div>
</div>
</div>
</div>
</div>
<footer id="footer">
<div class="container">
<div class="row footer_nav_wrapper">
<div class="col-md-9 col-sm-12">
<ul class="footer_nav">
<li class="list_col">
<ul class="nopad">
<li class="nopad">
<ul class="pad first top">
<li>
<a href="http://talosintel.com/software">Software</a>
</li>
<li>
<a href="http://talosintel.com/community">Community</a>
</li>
<li>
<a href="http://talosintel.com/vulnerability-reports">Vulnerability Reports</a>
</li>
</ul>
</li>
<li class="list_col">
<ul class="pad second">
<li>
<a href="http://talosintel.com/additional-resources">Additional Resources</a>
</li>
<li>
<a href="http://talosintel.com/ms-advisory-rules">Microsoft to SID Mapping Archive</a>
</li>
<li>
<a href="http://talosintel.com/so-rule-generator">Shared Object Rule Generator</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="list_col">
<ul class="nopad">
<li class="nopad">
<ul class="pad first last">
<li>
<a href="http://talosintel.com/feeds/ip-filter.blf">IP Blacklist Download</a>
</li>
<li>
<a href="http://talosintel.com/awbo">AWBO Exercises</a>
</li>
<li>
<a href="http://talosintel.com/about">About Talos</a>
</li>
</ul>
</li>
<li class="list_col">
<ul class="pad second last">
<li>
<a href="http://talosintel.com/careers">Join Our Team</a>
</li>
<li>
<a href="http://talosintel.com/contact/">Contact</a>
</li>
<li>
<a href="http://blog.talosintel.com/">Blog</a>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</div>
<div class="col-md-3 col-sm-12 connect_social">
<h5>Connect With Us</h5>
<ul>
<li>
<a href="https://twitter.com/talossecurity" target="_blank">
<img alt="Follow us on Twitter" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/footer_icon_tw.svg">
</a>
</li>
<li>
<a href="https://www.facebook.com/groups/TalosGroupatCisco/" target="_blank">
<img alt="Find us on Facebook" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/footer_icon_fb.svg">
</a>
</li>
<li>
<a href="https://www.youtube.com/playlist?list=PLFT-9JpKjRTDn_qtGN238gzycJfaVzMqD" target="_blank">
<img alt="Watch our informational videos on YouTube" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/footer_icon_yt.svg">
</a>
</li>
<li>
<a href="https://www.linkedin.com/grp/home?gid=8287731" target="_blank">
<img alt="Connect with us on LinkedIn" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/footer_icon_li.svg">
</a>
</li>
</ul>
</div>
</div>
<div class="row">
<div class="col-xs-12 footer_corporate">
<img alt="Cisco" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/logo_cisco_grey.svg">
<p class="copyright">© 2015 Cisco Systems, Inc. and/or its affiliates. All rights reserved. View our
<a class="underline" href="http://www.cisco.com/web/siteassets/legal/privacy_full.html" target="_blank">Privacy Policy</a> here.
</p>
</div>
</div>
</div>
</footer>
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-30016562-3', 'auto');
ga('send', 'pageview');
</script>
<script type="text/javascript">
if (window.jstiming) window.jstiming.load.tick('widgetJsBefore');
</script><script type="text/javascript" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/3571794311-widgets.js"></script>
<script type="text/javascript" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/plusone.js" gapi_processed="true"></script>
<script type="text/javascript" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/jsapi"></script>
<script type="text/javascript">
if (typeof(BLOG_attachCsiOnload) != 'undefined' && BLOG_attachCsiOnload != null) { window['blogger_templates_experiment_id'] = "templatesV2";window['blogger_blog_id'] = '1029833275466591797';BLOG_attachCsiOnload('item_'); }_WidgetManager._Init('//www.blogger.com/rearrange?blogID\x3d1029833275466591797','//blog.talosintel.com/2016/01/rigging-compromise.html','1029833275466591797');
_WidgetManager._SetDataContext([{'name': 'blog', 'data': {'blogId': '1029833275466591797', 'bloggerUrl': 'https://www.blogger.com', 'title': 'Cisco Talos Blog', 'pageType': 'item', 'postId': '1476026378647980857', 'url': 'http://blog.talosintel.com/2016/01/rigging-compromise.html', 'canonicalUrl': 'http://blog.talosintel.com/2016/01/rigging-compromise.html', 'homepageUrl': 'http://blog.talosintel.com/', 'canonicalHomepageUrl': 'http://blog.talosintel.com/', 'blogspotFaviconUrl': 'http://blog.talosintel.com/favicon.ico', 'enabledCommentProfileImages': false, 'adultContent': false, 'analyticsAccountNumber': 'UA-30016562-3', 'useUniversalAnalytics': false, 'pageName': 'Rigging compromise - RIG Exploit Kit ', 'pageTitle': 'Cisco Talos Blog: Rigging compromise - RIG Exploit Kit ', 'encoding': 'UTF-8', 'locale': 'en', 'localeUnderscoreDelimited': 'en', 'isPrivate': false, 'isMobile': false, 'isMobileRequest': false, 'mobileClass': '', 'isPrivateBlog': false, 'languageDirection': 'ltr', 'feedLinks': '\74link rel\75\42alternate\42 type\75\42application/atom+xml\42 title\75\42Cisco Talos Blog - Atom\42 href\75\42http://blog.talosintel.com/feeds/posts/default\42 /\76\n\74link rel\75\42alternate\42 type\75\42application/rss+xml\42 title\75\42Cisco Talos Blog - RSS\42 href\75\42http://blog.talosintel.com/feeds/posts/default?alt\75rss\42 /\76\n\74link rel\75\42service.post\42 type\75\42application/atom+xml\42 title\75\42Cisco Talos Blog - Atom\42 href\75\42https://www.blogger.com/feeds/1029833275466591797/posts/default\42 /\76\n\n\74link rel\75\42alternate\42 type\75\42application/atom+xml\42 title\75\42Cisco Talos Blog - Atom\42 href\75\42http://blog.talosintel.com/feeds/1476026378647980857/comments/default\42 /\76\n', 'meTag': '', 'openIdOpTag': '', 'postImageThumbnailUrl': 'http://1.bp.blogspot.com/-KYsiHbwv39Y/Vo6YDnix8oI/AAAAAAAAATo/k8MhIHC894w/s72-c/01-js.png', 'postImageUrl': 'http://1.bp.blogspot.com/-KYsiHbwv39Y/Vo6YDnix8oI/AAAAAAAAATo/k8MhIHC894w/s640/01-js.png', 'latencyHeadScript': '\74script type\75\42text/javascript\42\76(function() { (function(){function c(a){this.t\75{};this.tick\75function(a,c,b){var d\75void 0!\75b?b:(new Date).getTime();this.t[a]\75[d,c];if(void 0\75\75b)try{window.console.timeStamp(\42CSI/\42+a)}catch(e){}};this.tick(\42start\42,null,a)}var a;window.performance\46\46(a\75window.performance.timing);var h\75a?new c(a.responseStart):new c;window.jstiming\75{Timer:c,load:h};if(a){var b\75a.navigationStart,e\75a.responseStart;0\74b\46\46e\76\75b\46\46(window.jstiming.srt\75e-b)}if(a){var d\75window.jstiming.load;0\74b\46\46e\76\75b\46\46(d.tick(\42_wtsrt\42,void 0,b),d.tick(\42wtsrt_\42,\n\42_wtsrt\42,e),d.tick(\42tbsd_\42,\42wtsrt_\42))}try{a\75null,window.chrome\46\46window.chrome.csi\46\46(a\75Math.floor(window.chrome.csi().pageT),d\46\0460\74b\46\46(d.tick(\42_tbnd\42,void 0,window.chrome.csi().startE),d.tick(\42tbnd_\42,\42_tbnd\42,b))),null\75\75a\46\46window.gtbExternal\46\46(a\75window.gtbExternal.pageT()),null\75\75a\46\46window.external\46\46(a\75window.external.pageT,d\46\0460\74b\46\46(d.tick(\42_tbnd\42,void 0,window.external.startE),d.tick(\42tbnd_\42,\42_tbnd\42,b))),a\46\46(window.jstiming.pt\75a)}catch(k){}})();window.tickAboveFold\75function(c){var a\0750;if(c.offsetParent){do a+\75c.offsetTop;while(c\75c.offsetParent)}c\75a;750\76\75c\46\46window.jstiming.load.tick(\42aft\42)};var f\75!1;function g(){f||(f\75!0,window.jstiming.load.tick(\42firstScrollTime\42))}window.addEventListener?window.addEventListener(\42scroll\42,g,!1):window.attachEvent(\42onscroll\42,g);\n })();\74/script\076', 'mobileHeadScript': '', 'ieCssRetrofitLinks': '\74!--[if IE]\76\74script type\75\42text/javascript\42 src\75\42https://www.blogger.com/static/v1/jsbin/3975134397-ieretrofit.js\42\76\74/script\76\n\74![endif]--\076', 'view': '', 'dynamicViewsCommentsSrc': '//www.blogblog.com/dynamicviews/4224c15c4e7c9321/js/comments.js', 'dynamicViewsScriptSrc': '//www.blogblog.com/dynamicviews/57b76c2f28d7ea5b', 'plusOneApiSrc': 'https://apis.google.com/js/plusone.js', 'sf': 'n', 'tf': ''}}, {'name': 'messages', 'data': {'archive': 'Archive', 'blogArchive': 'Blog Archive', 'by': 'By', 'deleteBacklink': 'Delete Backlink', 'deleteComment': 'Delete Comment', 'emailAddress': 'Email Address', 'getEmailNotifications': 'Get email notifications', 'keepReading': 'Keep reading', 'labels': 'Labels', 'loadMorePosts': 'Load more posts', 'loading': 'Loading...', 'myBlogList': 'My Blog List', 'myFavoriteSites': 'My favorite sites', 'newer': 'Newer', 'newerPosts': 'Newer Posts', 'newest': 'Newest', 'noResultsFound': 'No results found', 'noTitle': 'No title', 'older': 'Older', 'olderPosts': 'Older Posts', 'oldest': 'Oldest', 'onlyTeamMembersCanComment': 'Note: Only a member of this blog may post a comment.', 'popularPosts': 'Popular Posts', 'popularPostsFromThisBlog': 'Popular posts from this blog', 'postAComment': 'Post a Comment', 'postedBy': 'Posted by', 'readMore': 'Read more', 'reportAbuse': 'Report Abuse', 'search': 'Search', 'searchBlog': 'Search blog', 'share': 'Share', 'showAll': 'Show all', 'subscribe': 'Subscribe', 'subscribeToThisBlog': 'Subscribe to this blog', 'theresNothingHere': 'There\47s nothing here!', 'viewAll': 'View all'}}, {'name': 'skin', 'data': {'vars': {}, 'override': ''}}, {'name': 'view', 'data': {'classic': {'name': 'classic', 'url': '?view\75classic'}, 'flipcard': {'name': 'flipcard', 'url': '?view\75flipcard'}, 'magazine': {'name': 'magazine', 'url': '?view\75magazine'}, 'mosaic': {'name': 'mosaic', 'url': '?view\75mosaic'}, 'sidebar': {'name': 'sidebar', 'url': '?view\75sidebar'}, 'snapshot': {'name': 'snapshot', 'url': '?view\75snapshot'}, 'timeslide': {'name': 'timeslide', 'url': '?view\75timeslide'}}}]);
_WidgetManager._RegisterWidget('_BlogView', new _WidgetInfo('Blog1', 'main', null, document.getElementById('Blog1'), {'cmtInteractionsEnabled': false, 'lightboxEnabled': true, 'lightboxModuleUrl': 'https://www.blogger.com/static/v1/jsbin/4246284911-lbx.js', 'lightboxCssUrl': 'https://www.blogger.com/static/v1/v-css/1185134592-lightbox_bundle.css'}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_CustomSearchView', new _WidgetInfo('CustomSearch1', 'sidebar', null, document.getElementById('CustomSearch1'), {'title': 'Search The Blog', 'includeBlog': true, 'includePostLinks': true, 'includeWeb': true, 'linkLists': [], 'blogUrl': 'http://blog.talosintel.com/', 'loadingMsg': 'Loading...', 'thisBlogMsg': 'This Blog', 'linkedFromHereMsg': 'Linked From Here', 'theWebMsg': 'The Web', 'backgroundColor': '#fff', 'textColor': '#000', 'dateColor': '#6f6f6f', 'linkColor': '#00c', 'urlColor': '#00c', 'visitedLinkColor': '#00c', 'borderColor': '#6f6f6f', 'activeBorderColor': '#6f6f6f', 'cse_ua': true}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_SubscribeView', new _WidgetInfo('Subscribe1', 'sidebar', null, document.getElementById('Subscribe1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_BlogArchiveView', new _WidgetInfo('BlogArchive1', 'sidebar', null, document.getElementById('BlogArchive1'), {'languageDirection': 'ltr', 'loadingMessage': 'Loading...'}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_BlogListView', new _WidgetInfo('BlogList1', 'sidebar', null, document.getElementById('BlogList1'), {'numItemsToShow': 0, 'totalItems': 3}, 'displayModeFull'));
</script>
<link type="text/css" rel="stylesheet" href="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/1185134592-lightbox_bundle.css"><script type="text/javascript" src="./Cisco Talos Blog_ Rigging compromise - RIG Exploit Kit_files/4246284911-lbx.js"></script></body></html>
Reference in New Issue View Git Blame Copy Permalink