Rigging compromise – RIG Exploit Kit

January 7, 2016 - 4 Comments

This Post was Authored by Nick Biasini, with contributions by Joel Esler

Exploit Kits are one of the biggest threats that affects users, both inside and outside the enterprise, as it indiscriminately compromises simply by visiting a web site, delivering a malicious payload. One of the challenges with exploit kits is at any given time there are numerous kits active on the Internet. RIG is one of these exploit kits that is always around delivering malicious payloads to unsuspecting users. RIG first appeared in our telemetry back in November of 2013, back then we referred to it as Goon, today it’s known as RIG.

We started focusing on RIG and found some interesting data similar to what we found while analyzing Angler. This post will discuss RIG, findings in the data, and what actions were taken as a result.

The Exploit Kit Overview

RIG compromises users like any exploit kit. It starts with a user being redirected to a landing page. This is done via malicious iframes or malvertising and looks similar the following:

It begins with an initial link to a javascript:


Read More >>>


In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Great article and thanks for the information!

  2. Guess that’s why most workplaces disallow surfing the web with browsers. What a shame. But productive!

  3. I did not know about the threat from rigging until reading this article. Good information to try and stay safer while surfing the web.

  4. Very informative as usual and as a bonus will setup my DNS at home to use OpenDNS. 🙂