Connect with us

Hi, what are you looking for?



RIG Replaces Neutrino in Massive Malvertising Campaigns

The RIG exploit kit (EK) might be moving up the social ladder to become the top threat in its segment and leave Neutrino behind, recently observed malvertising campaigns suggest.

The RIG exploit kit (EK) might be moving up the social ladder to become the top threat in its segment and leave Neutrino behind, recently observed malvertising campaigns suggest.

A malvertising incident that affected the popular website, a destination that gets around 2 million visitors each day, was seen earlier this week leveraging the RIG EK to drop the CrypMIC ransomware, Malwarebytes says. Not only were the site’s visitors exposed to the malicious ad, but they could have been infected without even clicking on it.

As part of this campaign, researchers reveal, the threat actor is using the same pattern previously employed by Angler and subsequently by Neutrino: domain shadowing and a HTTPS open redirector from Rocket Fuel (

Although Neutrino took the leading position after Angler died in June, the latest improvements received by RIG show that it is ready to claim the top spot for itself. In early September, RIG started using wscript.exe as the parent process for the dropped binary, instead of the iexplore.exe process, which had been used before. The use of wscript.exe has been Neutrino’s trademark for a long time, and was used to bypass certain proxies, researchers say.

Brad Duncan, Rackspace security researcher and handler at the SANS Institute’s Internet Storm Center, reveals that the Afraidgate campaign (which uses domains) also switched to the RIG EK this week, but says that it was dropping the Locky ransomware instead of CrypMIC.

The Afraidgate campaign, Duncan says, has been distributing Locky since mid-July (it was distributing the CryptXXX ransomware before that), and it has been using Neutrino since June, when Angler disappeared. This week, the campaign was seen using RIG to drop the latest Locky ransomware variant, which uses the .ODIN extension instead of .zepto.

The researcher also reveals that some of the changes that RIG has seen recently include the presence of a large amount of non-ASCII characters on its landing page. He also notes that RIG Flash exploits are now around 25 kB in size and that the EK’s payload is now more heavily obfuscated, being encoded with an encryption algorithm.

Advertisement. Scroll to continue reading.

With the Afraidgate campaign currently being the biggest EK-based campaign distributing Locky, RIG becomes a highly valuable tool for this ransomware’s operators (although Locky continues to be distributed mainly through spam). Moreover, with threat actors privileging RIG over Neutrino in other campaigns as well, it’s clear that the EK is growing in importance. 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...