Rig EK via Decimal Redirect Drops Smoke Loader.


This is the first time i’ve detected a decimal redirect to Rig EK. The mechanism is described by Malwarebytes. The redirect led to a file called “rig.php” which is something I have not seen before. The page then displays a “loading” GIF which makes it appear as if something should be happening. Something is indeed happening – Smoke loader was dropped and I have demonstrated before what happens if you leave it running.

Apologies for an incomplete picture. I bodged it together with Paint as my current tools are not available.


Background Information:

  • A few articles on Rig exploit kit and it’s evolution:


  • Article on Decimal Redirects



(in password protected zip)

Details of infection chain:

(click to enlarge!)


Decimal Redirect to Rig EK which drops smoke loader.

Full Details:

There is a URL request from the compromised site to “1755118211” which the browser interprets as an IP address (  This then 302’s to an IP hosting a PHP file.


This leads to a file amusingly named “rig.php”. This contains an iframe to Rig EK and a GIF file which makes it appear as if the website is “loading”.



Rig then dropped Smoke Loader. The only thing that I have not seen before is Rig using a 5th level domain.

4 thoughts on “Rig EK via Decimal Redirect Drops Smoke Loader.

  1. Pingback: Shadowfall - InfoSecHotSpot

  2. Pingback: Shadowfall - Speaking of Security - The RSA Blog

  3. Pingback: 【技术分享】ShadowFall:对域名阴影攻击活动的详细分析报告-安全路透社

  4. Pingback: 【技术分享】ShadowFall:对域名阴影攻击活动的详细分析报告 – 安百科技

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s