The RIG exploit kit (EK) managed to grab nearly 35% of the overall EK activity during the last month of 2016, retaining the leading spot in the landscape for the fourth month in a row, Symantec reports.
RIG first emerged on cybercrime forums in April 2014, but made it to the headlines only a couple of months later, when it started delivering the CryptoWall file-encrypting ransomware. RIG has been used in various campaigns over the years, and even had its source code leaked online in February 2015.
Despite its success, the EK didn’t make it to the top of the charts until June 2016, when the Angler EK disappeared, leaving a void that other EKs have been trying to fill ever since. Even then, RIG was trailing Neutrino, but this malicious kit disappeared in last September, when RIG started replacing it in various malicious campaigns.
Now, it appears that RIG managed not only to secure the top position in the EK market, but also that it has no worthy rival as of now. According to Symantec, while RIG accounted for 34.8% of all EK activity in December, the runner up was the Fiesta EK, with only 4.2% of that activity. Magnitude came in third with only 3.2%.
Changes in the EK landscape have been small over the past few months, with worthy mentions being the disappearance of Neutrino in September, Fiesta pushing Magnitude to the third position in November, and the appearance of a new exploit kit called Stegano in December. Similar to a recent variant of Sundown, Stegano uses steganography to hide code in other type of data, mainly images.
While things remained unchanged in the EK area, the number of daily web attacks blocked by Symantec went up by roughly 33% in December. The security company blocked 388,000 such attacks per day during the last month, a significant increase compared to the 291,000 attacks per day it blocked in November.
The number of new malware variants seen in December, however, dropped significantly: it reached 19.5 million in December, although the number was 71.2 million in November. The level was the lowest registered since last July, and Symantec suggests that a decline in the activity surrounding the Kovter family of threats might have been responsible for it.
One of the most important incidents last month was the return of the infamous disk-wiping malware Shamoon, which resurfaced in a fresh wave of attacks against new targets in Saudi Arabia. Also worth mentioning is the arrest of the cybercriminals behind the Bayrob malware.
While spam rate dropped to 54.2 percent in December, the construction sector, which was hit the most, experienced a 2.1 percentage points increase, reaching a 63.3% spam rate. New spam techniques such as hailstorms were seen distributing a variety of threats, including the Dridex and Locky families of malware.
The phishing rage decreased to one in 3,357 emails last month, with the Mining sector registering a significant improvement in this regard: the phishing activity declined from one in 972 emails in November to one in 5,423 in December. While organizations with 1,001-1,500 employees registered the highest spam rates, phishing targeted mainly businesses with 1-250 employees.
While no new Android malware family was discovered in December, the month brought to the spotlight another issue when the firmware of around 30 phone models was found to include built-in software that downloads adware and potentially unwanted apps.