The RIG Exploit Kit is present process its most profitable interval, trying roughly 2,000 intrusions every day and succeeding in about 30% of instances, the best ratio within the service’s lengthy operational historical past.
By exploiting comparatively previous Internet Explorer vulnerabilities, RIG EK has been seen distributing varied malware households, together with Dridex, SmokeLoader, and RaccoonStealer.
According to an in depth report by Prodaft, whose researchers gained entry to the service’s backend internet panel, the exploit package stays a major large-scale risk to people and organizations.
RIG EK’s sordid historical past
RIG EK was first launched eight years in the past, in 2014, and promoted as an “exploit-as-a-service” rented to different malware operators to unfold their malware on weak units.
When a person visits these websites, the malicious scripts shall be executed and try to use varied vulnerabilities within the browser to put in malware on the system routinely.
In 2015, the package’s authors launched the second main model of the package, laying the bottom for extra intensive and profitable operations.
In 2017 although, RIG suffered a major blow following a coordinated takedown motion that worn out giant components of its infrastructure, severely disrupting its operations.
In 2019, RIG returned, this time specializing in ransomware distribution, serving to Sodinokibi (REvil), Nemty, and ERIS ransomware, compromise organizations with data-encrypting payloads.
In 2021, RIG’s proprietor introduced the service would shut down; nevertheless, RIG 2.0 returned in 2022 with two new exploits (CVE-2020-0674 and CVE-2021-26411 in Internet Explorer), reaching an all-time excessive profitable breach ratio.
In April 2022, Bitdefender reported that RIG was getting used to drop the Redline information-stealer malware onto victims.
While lots of the exploits focused by RIG EK are for Internet Explorer, which Microsoft Edge has lengthy changed, the browser continues to be utilized by tens of millions of Enterprise units, that are a main goal.
Current assault volumes
Prodaft says RIG EK at the moment targets 207 international locations, launching a mean of two,000 assaults per day and having a present success price of 30%. This price was 22% earlier than the exploit package resurfaced with two new exploits, says Prodaft.
As the heatmap printed within the report reveals, essentially the most impacted international locations are Germany, Italy, France, Russia, Turkey, Saudi Arabia, Egypt, Algeria, Mexico, and Brazil. However, there are victims worldwide.
The highest success price is introduced by CVE-2021-26411, reaching a forty five% profitable exploitation ratio, adopted by CVE-2016-0189 with 29% and CVE-2019-0752 with 10%.
CVE-2021-26411 is a high-severity reminiscence corruption flaw in Internet Explorer that Microsoft fastened in March 2021, triggered by viewing a maliciously crafted web site.
The CVE-2016-0189 and CVE-2019-0752 vulnerabilities are additionally in Internet Explorer, permitting distant code execution within the browser.
CISA printed an lively exploitation alert for CVE-2019-0752 in February 2022, warning system directors the vulnerability continues to be being exploited and to use obtainable safety updates.
A wide range of malicious payloads
Currently, RIG EK primarily pushes information-stealing and preliminary entry malware, with Dridex being the commonest (34%), adopted by SmokeLoader (26%), RaccoonStealer (20%), Zloader (2.5%), Truebot (1.8%), and IcedID (1.4%).
Of course, the kinds of malware unfold by RIG EK continually change relying on which cybercriminals select to make use of the service.
Prodaft has beforehand additionally noticed the distribution of Redline, RecordBreaker, PureCrypter, Gozi, Royal Ransomware, and UrSnif.
Distributing the Dridex banking trojan is especially fascinating as a result of there are indicators that the RIG operators have taken motion to make sure its distribution is problem-free.
“The RIG administrator had taken additional manual configuration steps to ensure that the malware was distributed smoothly,” explains Prodaft within the report.
“Considering all these facts, we assess with high confidence that the developer of Dridex malware has a close relationship with the RIG’s admins.”
It must be famous that Dridex was linked to Entropy ransomware assaults a 12 months in the past, so RIG EK breaches might result in data-encryption incidents.
The RIG EK stays a major risk to people and organizations utilizing outdated software program, threatening to contaminate their programs with stealthy data stealers that may siphon highly-sensitive information.
However, RIG EK’s give attention to Internet Explorer might trigger the service to turn out to be quickly out of date as Microsoft lastly retired Internet Explorer in February 2023, redirecting customers to Microsoft Edge.