Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

RIG Exploit Kit 3.0 Used to Infect Over 1.3 Million Computers Worldwide

Version 3.0 of the notorious RIG exploit kit has been released. Researchers at Trustwave have determined that the crimeware has already been used to infect more than 1.3 million devices from all over the world.

Version 3.0 of the notorious RIG exploit kit has been released. Researchers at Trustwave have determined that the crimeware has already been used to infect more than 1.3 million devices from all over the world.

Part of the source code for the 2.0 version of the RIG exploit kit was leaked online earlier this year apparently as a result of a dispute between the main developer and a reseller. The developer recently launched RIG 3.0 and he has made some improvements that should prevent unauthorized access to the source code.

According to Trustwave, whose researchers managed to track down and access the administration servers used by two RIG instances, the latest version of the exploit kit is responsible for more than 3.5 million infection attempts.

Experts said over 1.3 million of these attempts were successful (34 percent success rate), with most of the victims located in Brazil (450,529 infections) and Vietnam (302,705). Roughly 45,000 infected systems are in the United States, 10,000 in the United Kingdom, and 4,000 in Canada, but the numbers will likely increase over the next period. Trustwave has determined that there are, on average, 27,000 new infections per day.

The high infection rates have been attributed to the many vulnerabilities discovered over the past period in Adobe Flash Player, including the zero-days leaked as a result of the Hacking Team breach.

Victims’ computers are infected with various pieces of malware, but 70 percent of infections involve the Tofsee spam bot. Interestingly, only one of the RIG 3.0 customers distributes Tofsee and experts estimate that he earns between $60,000 and $100,000 per month.

Trustwave says that a majority of the traffic to RIG exploit kit landing pages (90 percent) comes from malvertising campaigns. Malicious actors have used real-time bidding to ensure that their malicious ads are displayed on websites.

One of the advertisers whose services are abused is buy-targeted-traffic.com, which allows attackers to buy 1,000 ad impressions for as low as 20 cents. While most of the malware-serving ads will be displayed on less popular websites, in some cases the ads will be displayed on high-profile sites if bids are won.

Advertisement. Scroll to continue reading.

The RIG 3.0 infrastructure is mainly the same as the one used for RIG 2.0, but there are some notable changes.

The virtual dedicated server (VDS), which contains the exploits used by RIG and acts as a tunnel between the administration server and the proxy layer that serves the exploits to the victims, is located on the same IP as RIG 2.0, and it seems to have remained intact and largely unnoticed.

However, RIG 3.0 uses only one VDS which, according to experts, indicates that the reseller model either no longer exists or that reseller systems are kept separately, possibly as a result of the recent source code leak.

As far as security improvements are concerned, the developer of the RIG exploit kit has patched the vulnerabilities that allowed the reseller to steal source code. Unauthenticated users are now banned from accessing internal files hosted on the backend server, and payloads are no longer stored in a folder on the server to prevent users from uploading backdoors.

The RIG developer has also started using CloudFlare to protect his creation’s control panel against distributed denial-of-service (DDoS) attacks.

In RIG 2.0, the format of the landing page URL was constant, which allowed security products to easily detect RIG exploit kit attacks. With the release of RIG 3.0, the developer has replaced a static string that was always present in the URL (“PHPSSESID”) with a randomized token.

Finally, experts noted that the user interface has been changed in RIG 3.0.

“It seems that exploit kits, much like the mythological hydra, just keep coming back. Chopping off one head merely grows two new ones to replace it. They are growing more accurate, more sophisticated, and worst of all, more widespread,” Trustwave researchers said.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.