The
RIG
exploit
kit
(EK)
touched
an
all-time
high
successful
exploitation
rate
of
nearly
30%
in
2022,
new
findings
reveal.
“RIG
EK
is
a
financially-motivated
program
that
has
been
active
since
2014,”
Swiss
cybersecurity
company
PRODAFT
said
in
an
exhaustive
report
shared
with
The
Hacker
News.
“Although
it
has
yet
to
substantially
change
its
exploits
in
its
more
recent
activity,
the
type
and
version
of
the
malware
they
distribute
constantly
change.
The
frequency
of
updating
samples
ranges
from
weekly
to
daily
updates.”
Exploit
kits
are
programs
used
to
distribute
malware
to
large
numbers
of
victims
by
taking
advantage
of
known
security
flaws
in
commonly-used
software
such
as
web
browsers.
The
fact
that
RIG
EK
runs
as
a
service
model
means
threat
actors
can
financially
compensate
the
RIG
EK
administrator
for
installing
malware
of
their
choice
on
victim
machines.
The
RIG
EK
operators
primarily
employ
malvertising
to
ensure
a
high
infection
rate
and
large-scale
coverage.
As
a
result,
visitors
using
a
vulnerable
version
of
a
browser
to
access
an
actor-controlled
web
page
or
a
compromised-but-legitimate
website
are
redirected
using
malicious
JavaScript
code
to
a
proxy
server,
which,
in
turn,
communicates
with
an
exploit
server
to
deliver
the
appropriate
browser
exploit.
The
exploit
server,
for
its
part,
detects
the
user’s
browser
by
parsing
the
User-Agent
string
and
returns
the
exploit
that
“matches
the
pre-defined
vulnerable
browser
versions.”
“The
artful
design
of
the
Exploit
Kit
allows
it
to
infect
devices
with
little
to
no
interaction
from
the
end
user,”
the
researchers
said.
“Meanwhile,
its
use
of
proxy
servers
makes
infections
harder
to
detect.”
Since
arriving
on
the
scene
in
2014,
RIG
EK
has
been
observed
delivering
a
wide
range
of
financial
trojans,
stealers,
and
ransomware
such
as
AZORult,
CryptoBit,
Dridex,
Raccoon
Stealer,
and
WastedLoader.
The
operation
was
dealt
a
huge
blow
in
2017
following
a
coordinated
action
that
dismantled
its
infrastructure.
Recent
RIG
EK
campaigns
have
targeted
a
memory
corruption
vulnerability
impacting
Internet
Explorer
(CVE-2021-26411,
CVSS
score:
8.8)
to
deploy
RedLine
Stealer.
Other
browser
flaws
weaponized
by
the
malware
include
CVE-2013-2551,
CVE-2014-6332,
CVE-2015-0313,
CVE-2015-2419,
CVE-2016-0189,
CVE-2018-8174,
CVE-2019-0752,
and
CVE-2020-0674.
According
to
data
collected
by
PRODAFT,
45%
of
the
successful
infections
in
2022
leveraged
CVE-2021-26411,
followed
by
CVE-2016-0189
(29%),
CVE-2019-0752
(10%),
CVE-2018-8174
(9%),
and
CVE-2020-0674
(6%).
Besides
Dridex,
Raccoon,
and
RedLine
Stealer,
some
of
the
notable
malware
families
distributed
using
RIG
EK
are
SmokeLoader,
PureCrypter,
IcedID,
ZLoader,
TrueBot,
Ursnif,
and
Royal
ransomware.
Furthermore,
the
exploit
kit
is
said
to
have
attracted
traffic
from
207
countries,
reporting
a
22%
success
rate
over
the
past
two
months
alone.
The
most
number
of
compromises
are
located
in
Russia,
Egypt,
Mexico,
Brazil,
Saudi
Arabia,
Turkey,
and
several
countries
across
Europe.
“Interestingly
enough,
the
exploit
try
rates
were
the
highest
on
Tuesday,
Wednesday
and
Thursday
–
with
successful
infections
taking
place
on
the
same
days
of
the
week,”
the
researchers
explained.
PRODAFT,
which
also
managed
to
gain
visibility
into
the
kit’s
control
panel,
said
there
are
about
six
different
users,
two
of
whom
(admin
and
vipr)
have
admin
privileges.
A
user
profile
with
the
alias
“pit”
or
“pitty”
has
subadmin
permissions,
and
three
others
(lyr,
ump,
and
test1)
have
user
privileges.
“admin”
is
also
a
dummy
user
mainly
reserved
for
creating
other
users.
The
management
panel,
which
works
with
a
subscription,
is
controlled
using
the
“pitty”
user.
However,
an
operational
security
blunder
that
exposed
the
git
server
led
PRODAFT
to
de-anonymize
two
of
the
threat
actors:
a
31-year-old
Uzbekistan
national
named
Oleg
Lukyanov
and
a
Russian
who
goes
by
the
name
Vladimir
Nikonov.
It
also
assessed
with
high
confidence
that
the
developer
of
the
Dridex
malware
has
a
“close
relationship”
with
the
RIG
EK’s
administrators,
owing
to
the
additional
manual
configuration
steps
taken
to
“ensure
that
the
malware
was
distributed
smoothly.”
“Overall,
RIG
EK
runs
a
very
fruitful
business
of
exploit-as-a-service,
with
victims
across
the
globe,
a
highly
effective
exploit
arsenal
and
numerous
customers
with
constantly
updating
malware,”
the
researchers
said.
this
article
interesting?
Follow
us
on
and
to
read
more
exclusive
content
we
post.
About Author
