Security Experts:

Connect with us

Hi, what are you looking for?



RIG Replaces Neutrino in Massive Malvertising Campaigns

The RIG exploit kit (EK) might be moving up the social ladder to become the top threat in its segment and leave Neutrino behind, recently observed malvertising campaigns suggest.

The RIG exploit kit (EK) might be moving up the social ladder to become the top threat in its segment and leave Neutrino behind, recently observed malvertising campaigns suggest.

A malvertising incident that affected the popular website, a destination that gets around 2 million visitors each day, was seen earlier this week leveraging the RIG EK to drop the CrypMIC ransomware, Malwarebytes says. Not only were the site’s visitors exposed to the malicious ad, but they could have been infected without even clicking on it.

As part of this campaign, researchers reveal, the threat actor is using the same pattern previously employed by Angler and subsequently by Neutrino: domain shadowing and a HTTPS open redirector from Rocket Fuel (

Although Neutrino took the leading position after Angler died in June, the latest improvements received by RIG show that it is ready to claim the top spot for itself. In early September, RIG started using wscript.exe as the parent process for the dropped binary, instead of the iexplore.exe process, which had been used before. The use of wscript.exe has been Neutrino’s trademark for a long time, and was used to bypass certain proxies, researchers say.

Brad Duncan, Rackspace security researcher and handler at the SANS Institute’s Internet Storm Center, reveals that the Afraidgate campaign (which uses domains) also switched to the RIG EK this week, but says that it was dropping the Locky ransomware instead of CrypMIC.

The Afraidgate campaign, Duncan says, has been distributing Locky since mid-July (it was distributing the CryptXXX ransomware before that), and it has been using Neutrino since June, when Angler disappeared. This week, the campaign was seen using RIG to drop the latest Locky ransomware variant, which uses the .ODIN extension instead of .zepto.

The researcher also reveals that some of the changes that RIG has seen recently include the presence of a large amount of non-ASCII characters on its landing page. He also notes that RIG Flash exploits are now around 25 kB in size and that the EK’s payload is now more heavily obfuscated, being encoded with an encryption algorithm.

With the Afraidgate campaign currently being the biggest EK-based campaign distributing Locky, RIG becomes a highly valuable tool for this ransomware’s operators (although Locky continues to be distributed mainly through spam). Moreover, with threat actors privileging RIG over Neutrino in other campaigns as well, it’s clear that the EK is growing in importance. 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack