Security Experts:

RIG Replaces Neutrino in Massive Malvertising Campaigns

The RIG exploit kit (EK) might be moving up the social ladder to become the top threat in its segment and leave Neutrino behind, recently observed malvertising campaigns suggest.

A malvertising incident that affected the popular website, a destination that gets around 2 million visitors each day, was seen earlier this week leveraging the RIG EK to drop the CrypMIC ransomware, Malwarebytes says. Not only were the site’s visitors exposed to the malicious ad, but they could have been infected without even clicking on it.

As part of this campaign, researchers reveal, the threat actor is using the same pattern previously employed by Angler and subsequently by Neutrino: domain shadowing and a HTTPS open redirector from Rocket Fuel (

Although Neutrino took the leading position after Angler died in June, the latest improvements received by RIG show that it is ready to claim the top spot for itself. In early September, RIG started using wscript.exe as the parent process for the dropped binary, instead of the iexplore.exe process, which had been used before. The use of wscript.exe has been Neutrino’s trademark for a long time, and was used to bypass certain proxies, researchers say.

Brad Duncan, Rackspace security researcher and handler at the SANS Institute's Internet Storm Center, reveals that the Afraidgate campaign (which uses domains) also switched to the RIG EK this week, but says that it was dropping the Locky ransomware instead of CrypMIC.

The Afraidgate campaign, Duncan says, has been distributing Locky since mid-July (it was distributing the CryptXXX ransomware before that), and it has been using Neutrino since June, when Angler disappeared. This week, the campaign was seen using RIG to drop the latest Locky ransomware variant, which uses the .ODIN extension instead of .zepto.

The researcher also reveals that some of the changes that RIG has seen recently include the presence of a large amount of non-ASCII characters on its landing page. He also notes that RIG Flash exploits are now around 25 kB in size and that the EK’s payload is now more heavily obfuscated, being encoded with an encryption algorithm.

With the Afraidgate campaign currently being the biggest EK-based campaign distributing Locky, RIG becomes a highly valuable tool for this ransomware’s operators (although Locky continues to be distributed mainly through spam). Moreover, with threat actors privileging RIG over Neutrino in other campaigns as well, it’s clear that the EK is growing in importance. 

view counter