RIG Exploit Kit (EK) has become increasingly successful in exploiting vulnerabilities, reaching an all-time high successful exploitation rate of nearly 30% in 2022, according to new findings from the Swiss cybersecurity company PRODAFT. The kit is a financially-motivated program that has been active since 2014 and is used to distribute malware to large numbers of victims by taking advantage of known security flaws in commonly-used software such as web browsers. It runs on a service model and is often used by threat actors to financially compensate the RIG EK administrator for installing malware of their choice on victim machines.
Malvertising is primarily used by the RIG EK operators to ensure a high infection rate and large-scale coverage. Visitors using a vulnerable version of a browser to access an actor-controlled web page or a compromised-but-legitimate website are redirected using malicious JavaScript code to a proxy server, which, in turn, communicates with an exploit server to deliver the appropriate browser exploit. Exploit servers detect the user’s browser by parsing the User-Agent string and return the exploit that “matches the pre-defined vulnerable browser versions.”
Since arriving on the scene in 2014, RIG EK has been observed delivering a wide range of financial trojans, stealers, and ransomware such as AZORult, CryptoBit, Dridex, Raccoon Stealer, and WastedLoader. It has also been used to exploit memory corruption vulnerabilities impacting Internet Explorer (CVE-2021-26411, CVSS score: 8.8) to deploy RedLine Stealer. Other browser flaws weaponized by the malware include CVE-2013-2551, CVE-2014-6332, CVE-2015-0313, CVE-2015-2419, CVE-2016-0189, CVE-2018-8174, CVE-2019-0752, and CVE-2020-0674.
Data collected by PRODAFT reveals that 45% of the successful infections in 2022 leveraged CVE-2021-26411, followed by CVE-2016-0189 (29%), CVE-2019-0752 (10%), CVE-2018-8174 (9%), and CVE-2020-0674 (6%). SmokeLoader, PureCrypter, IcedID, ZLoader, TrueBot, Ursnif, and Royal ransomware are some of the notable malware families distributed using RIG EK. It has also been observed to have attracted traffic from 207 countries, with a 22% success rate over the past two months.
An operational security blunder that exposed the git server led PRODAFT to de-anonymize two of the threat actors: a 31-year-old Uzbekistan national named Oleg Lukyanov and a Russian who goes by the name Vladimir Nikonov. The developer of the Dridex malware has also been linked to the RIG EK’s administrators, owing to the additional manual configuration steps taken to “ensure that the malware was distributed smoothly.”
Key Points:
• RIG Exploit Kit (EK) has achieved a successful exploitation rate of nearly 30% in 2022, according to new findings from Swiss cybersecurity company PRODAFT.
• The kit is a financially-motivated program that has been active since 2014 and is used to distribute malware to large numbers of victims by taking advantage of known security flaws in commonly-used software.
• Malvertising is primarily used by the RIG EK operators to ensure a high infection rate and large-scale coverage.
• The exploit kit has been observed delivering a wide range of financial trojans, stealers, and ransomware over the years.
• PRODAFT was able to de-anonymize two of the threat actors and link the developer of the Dridex malware to the RIG EK’s administrators.