Security Experts:

RIG Exploit Kit 3.0 Used to Infect Over 1.3 Million Computers Worldwide

Version 3.0 of the notorious RIG exploit kit has been released. Researchers at Trustwave have determined that the crimeware has already been used to infect more than 1.3 million devices from all over the world.

Part of the source code for the 2.0 version of the RIG exploit kit was leaked online earlier this year apparently as a result of a dispute between the main developer and a reseller. The developer recently launched RIG 3.0 and he has made some improvements that should prevent unauthorized access to the source code.

According to Trustwave, whose researchers managed to track down and access the administration servers used by two RIG instances, the latest version of the exploit kit is responsible for more than 3.5 million infection attempts.

Experts said over 1.3 million of these attempts were successful (34 percent success rate), with most of the victims located in Brazil (450,529 infections) and Vietnam (302,705). Roughly 45,000 infected systems are in the United States, 10,000 in the United Kingdom, and 4,000 in Canada, but the numbers will likely increase over the next period. Trustwave has determined that there are, on average, 27,000 new infections per day.

The high infection rates have been attributed to the many vulnerabilities discovered over the past period in Adobe Flash Player, including the zero-days leaked as a result of the Hacking Team breach.

Victims’ computers are infected with various pieces of malware, but 70 percent of infections involve the Tofsee spam bot. Interestingly, only one of the RIG 3.0 customers distributes Tofsee and experts estimate that he earns between $60,000 and $100,000 per month.

Trustwave says that a majority of the traffic to RIG exploit kit landing pages (90 percent) comes from malvertising campaigns. Malicious actors have used real-time bidding to ensure that their malicious ads are displayed on websites.

One of the advertisers whose services are abused is buy-targeted-traffic.com, which allows attackers to buy 1,000 ad impressions for as low as 20 cents. While most of the malware-serving ads will be displayed on less popular websites, in some cases the ads will be displayed on high-profile sites if bids are won.

The RIG 3.0 infrastructure is mainly the same as the one used for RIG 2.0, but there are some notable changes.

The virtual dedicated server (VDS), which contains the exploits used by RIG and acts as a tunnel between the administration server and the proxy layer that serves the exploits to the victims, is located on the same IP as RIG 2.0, and it seems to have remained intact and largely unnoticed.

However, RIG 3.0 uses only one VDS which, according to experts, indicates that the reseller model either no longer exists or that reseller systems are kept separately, possibly as a result of the recent source code leak.

As far as security improvements are concerned, the developer of the RIG exploit kit has patched the vulnerabilities that allowed the reseller to steal source code. Unauthenticated users are now banned from accessing internal files hosted on the backend server, and payloads are no longer stored in a folder on the server to prevent users from uploading backdoors.

The RIG developer has also started using CloudFlare to protect his creation’s control panel against distributed denial-of-service (DDoS) attacks.

In RIG 2.0, the format of the landing page URL was constant, which allowed security products to easily detect RIG exploit kit attacks. With the release of RIG 3.0, the developer has replaced a static string that was always present in the URL (“PHPSSESID”) with a randomized token.

Finally, experts noted that the user interface has been changed in RIG 3.0.

“It seems that exploit kits, much like the mythological hydra, just keep coming back. Chopping off one head merely grows two new ones to replace it. They are growing more accurate, more sophisticated, and worst of all, more widespread,” Trustwave researchers said.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.