Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

RIG Replaces Neutrino in Massive Malvertising Campaigns

The RIG exploit kit (EK) might be moving up the social ladder to become the top threat in its segment and leave Neutrino behind, recently observed malvertising campaigns suggest.

The RIG exploit kit (EK) might be moving up the social ladder to become the top threat in its segment and leave Neutrino behind, recently observed malvertising campaigns suggest.

A malvertising incident that affected the popular website answers.com, a destination that gets around 2 million visitors each day, was seen earlier this week leveraging the RIG EK to drop the CrypMIC ransomware, Malwarebytes says. Not only were the site’s visitors exposed to the malicious ad, but they could have been infected without even clicking on it.

As part of this campaign, researchers reveal, the threat actor is using the same pattern previously employed by Angler and subsequently by Neutrino: domain shadowing and a HTTPS open redirector from Rocket Fuel (rfihub.com).

Although Neutrino took the leading position after Angler died in June, the latest improvements received by RIG show that it is ready to claim the top spot for itself. In early September, RIG started using wscript.exe as the parent process for the dropped binary, instead of the iexplore.exe process, which had been used before. The use of wscript.exe has been Neutrino’s trademark for a long time, and was used to bypass certain proxies, researchers say.

Brad Duncan, Rackspace security researcher and handler at the SANS Institute’s Internet Storm Center, reveals that the Afraidgate campaign (which uses afraid.org domains) also switched to the RIG EK this week, but says that it was dropping the Locky ransomware instead of CrypMIC.

The Afraidgate campaign, Duncan says, has been distributing Locky since mid-July (it was distributing the CryptXXX ransomware before that), and it has been using Neutrino since June, when Angler disappeared. This week, the campaign was seen using RIG to drop the latest Locky ransomware variant, which uses the .ODIN extension instead of .zepto.

The researcher also reveals that some of the changes that RIG has seen recently include the presence of a large amount of non-ASCII characters on its landing page. He also notes that RIG Flash exploits are now around 25 kB in size and that the EK’s payload is now more heavily obfuscated, being encoded with an encryption algorithm.

With the Afraidgate campaign currently being the biggest EK-based campaign distributing Locky, RIG becomes a highly valuable tool for this ransomware’s operators (although Locky continues to be distributed mainly through spam). Moreover, with threat actors privileging RIG over Neutrino in other campaigns as well, it’s clear that the EK is growing in importance. 

Advertisement. Scroll to continue reading.
Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The US arm of networking giant TP-Link has appointed Adam Robertson as Director of Information and Security.

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.