The RIG exploit kit (EK) might be moving up the social ladder to become the top threat in its segment and leave Neutrino behind, recently observed malvertising campaigns suggest.
A malvertising incident that affected the popular website answers.com, a destination that gets around 2 million visitors each day, was seen earlier this week leveraging the RIG EK to drop the CrypMIC ransomware, Malwarebytes says. Not only were the site’s visitors exposed to the malicious ad, but they could have been infected without even clicking on it.
As part of this campaign, researchers reveal, the threat actor is using the same pattern previously employed by Angler and subsequently by Neutrino: domain shadowing and a HTTPS open redirector from Rocket Fuel (rfihub.com).
Although Neutrino took the leading position after Angler died in June, the latest improvements received by RIG show that it is ready to claim the top spot for itself. In early September, RIG started using wscript.exe as the parent process for the dropped binary, instead of the iexplore.exe process, which had been used before. The use of wscript.exe has been Neutrino’s trademark for a long time, and was used to bypass certain proxies, researchers say.
Brad Duncan, Rackspace security researcher and handler at the SANS Institute’s Internet Storm Center, reveals that the Afraidgate campaign (which uses afraid.org domains) also switched to the RIG EK this week, but says that it was dropping the Locky ransomware instead of CrypMIC.
The Afraidgate campaign, Duncan says, has been distributing Locky since mid-July (it was distributing the CryptXXX ransomware before that), and it has been using Neutrino since June, when Angler disappeared. This week, the campaign was seen using RIG to drop the latest Locky ransomware variant, which uses the .ODIN extension instead of .zepto.
The researcher also reveals that some of the changes that RIG has seen recently include the presence of a large amount of non-ASCII characters on its landing page. He also notes that RIG Flash exploits are now around 25 kB in size and that the EK’s payload is now more heavily obfuscated, being encoded with an encryption algorithm.
With the Afraidgate campaign currently being the biggest EK-based campaign distributing Locky, RIG becomes a highly valuable tool for this ransomware’s operators (although Locky continues to be distributed mainly through spam). Moreover, with threat actors privileging RIG over Neutrino in other campaigns as well, it’s clear that the EK is growing in importance.

More from Ionut Arghire
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Florida Hospital Cancels Procedures, Diverts Patients Following Cyberattack
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
Latest News
- Comcast Wants a Slice of the Enterprise Cybersecurity Business
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Cyber Insights 2023 | Zero Trust and Identity and Access Management
- Cyber Insights 2023 | The Coming of Web3
- European Police Arrest 42 After Cracking Covert App
