A joint operation between various industry actors has led to tens of thousands of shadow domains being shut down and removed from the infrastructure of the RIG Exploit Kit (RIG EK).

The operation, nicknamed Shadowfall, started at the end of February, was coordinated by RSA Research, and involved various industry players such as GoDaddy, Malwarebytes, Brad Duncan, @broadanalysis, @dynamicanalysis, @executemalware, @nao_sec, and @Zerophage1337.

All have participated in mapping the infrastructure of the RIG EK, today's largest exploit kit, and the result of their cooperation was a list of hundreds of compromised domains secretly hijacked by the RIG EK.

RIG EK crew hijacked hundreds of websites

According to researchers, the RIG crew had hacked or infiltrated these hosting accounts and were using their resources to host malicious code inside hidden subdomains, also known as shadow domains.

Since the vast majority of these compromised sites were hosted on GoDaddy's infrastructure, the hosting provider's security team was brought in and later helped researchers in contacting domain owners and freezing compromised accounts.

All culminated on May 16, when RSA, GoDaddy, and others, moved in and removed tens of thousands of active shadow domains, resulting in a huge blow to the RIG EK operation.

Researchers believe attackers used either phishing campaigns to obtain credentials for hosting accounts, or brute-force attacks against weakly-secured sites.

RIG crew created shadow domains on hacked sites

After taking over these sites, attackers created new subdomains but pointed the DNS entry to an IP under their control at a bulletproof hosting provider. To avoid getting blacklisted, attackers rotated shadow domains at regular intervals, deleting older subdomains and creating new ones.

The RSA team says the group created on average around 450 shadow domains per day. In total, during the period they monitored the RIG EK infrastructure, researchers say the group took over 800 domains and created around 30,000 shadow domains.

In the grand scheme of the RIG EK operation, these shadow domains play a crucial role. The way a RIG EK operation works is simple and identical to how all exploit kit operate nowadays.

It all starts when a user accesses a compromised site, which loads malicious code inside a hidden iframe or right on the site, with no disguise (step 1 from the graph above).

This malicious code redirects victims through a flurry of domains, trying to lose security researchers in an endless stream of redirects. Hijacked visitors eventually land on servers called "gates" or TDS (Traffic Distribution Systems), where malicious code filters users based on their browser, operating system, geographical location, and other criteria (step 2).

The RIG EK gates will redirect only vulnerable users to so-called "landing pages" where the actual RIG exploit kit runs (step 3).

On these landing pages, the exploit kit, which is nothing more than a web-based app, loads malicious code in the user's browser, packed either as Flash or JavaScript files (step 4).

When it executes, the exploit code gains a foothold on the user's system, which allows it to run code on the local machine, downloading the final payload (step 5).

Shadowfall operation put a dent in RIG campaigns

Shadow domains are important for the first three steps. They usually host malicious code, gates, or landing pages. By taking tens of thousands of these domains out of the mix, the RIG EK crew suffered a huge setback, something that many security researchers have confirmed.

In the past year, the RIG EK was rented to different cybercrime groups, who used it to deliver various payloads. Below is a summary of all the cybercrime campaigns that utilized RIG.

PseudoDarkleech (PDL) campaign delivered mainly Cerber ransomware. The campaign slowed down at the end of April.

EITest delivered the Dreambot banking trojan and the Cerber, CryptoShield, Sage, and Spora ransomware families.

Decimal-IP is a recent campaign that has been spreading the Smokeloader malware.

Seamless is another recent campaign that has been observed delivering the Latentbot trojan and the ransomware component of the Ramnit trojan.

"[P]reliminary analysis indicates a significant loss of capabilities to RIG operations, specifically to current Seamless and Decimal IP campaigns," says the RSA team. "Longevity of impact is still under joint evaluation by GoDaddy and RSA teams."

RIG crew is playing around with different configs

Following this takedown of a large chunk of its infrastructure, the group has started shifting things around and playing with various configurations.

For a period of five days, from June 1 to June 5, the RIG EK dropped all its Flash exploits, in what appears to be a strange test.

Might be premature, but I haven't seen any Flash exploits from #RigEK after 2017-05-31. #MagnitudeEK still using Flash exploits, but not Rig pic.twitter.com/NT0jkEpeMD — Brad (@malware_traffic) June 2, 2017

Keep in mind that #RigEK is still active. It's just different (no more Flash exploits). — Brad (@malware_traffic) June 2, 2017

Last #RIGEK using Flash exploit I observed was on 01 Jun 03:06 AM PT. pic.twitter.com/KlYMP2VytS — Jérôme Segura (@jeromesegura) June 2, 2017

Nonetheless, today, the RIG EK crew switched back to using Flash for infecting victims.

Last year, after Check Point researchers poked around in the Nuclear exploit kit operation in a similar fashion, the cybercrime group decided to call it quits and retire before researchers unmasked more of their infrastructure. Let's hope the RIG EK team takes the same road after they see RSA's Shadowfall report.