Researchers Share New Insights Into RIG Exploit Kit Malware’s Operations

The RIG Exploit Kit (EK) will reach an all-time high exploit success rate of nearly 30% in 2022, new research reveals.

“RIG EK is a financially motivated program that has been active since 2014,” Swiss cybersecurity firm PRODAFT said in a detailed report published in The Hacker News.

“While we haven’t changed our exploits significantly in recent activity, the types and versions of malware we distribute are constantly changing. The frequency of sample updates varies from weekly to daily.”

Exploit kits are programs used to distribute malware to large numbers of victims by exploiting known security flaws in commonly used software such as web browsers.

The fact that RIG EK runs as a service model means that attackers can provide financial compensation for installing malware chosen by RIG EK administrators on victim machines. RIG EK operators primarily employ malvertising to ensure high infection rates and massive coverage.

As a result, visitors using a vulnerable version of the browser to access an attacker-controlled webpage or a compromised but legitimate website are redirected to a proxy server using malicious JavaScript code. . Deliver proper browser exploits.

The exploit server parses the User-Agent string to detect the user’s browser and returns exploits that “match a predefined vulnerable browser version.”

“The clever design of exploit kits allows them to infect devices with little or no end-user interaction,” said the researchers. “On the other hand, using a proxy server makes it harder to detect infections.”

Since its debut in 2014, RIG EK has been observed delivering a variety of financial Trojans, stealers, and ransomware, including AZORult, CryptoBit, Dridex, Raccoon Stealer, and WastedLoader. Operations were hit hard in 2017 following a concerted move to dismantle infrastructure.

A recent RIG EK campaign targeted a memory corruption vulnerability affecting Internet Explorer (CVE-2021-26411, CVSS score: 8.8) and deployed RedLine Stealer.

Other browser flaws weaponized by this malware include CVE-2013-2551, CVE-2014-6332, CVE-2015-0313, CVE-2015-2419, CVE-2016-0189, CVE-2018-8174 , CVE-2019-0752, and CVE-2020-0674.

According to data collected by PRODAFT, 45% of successful infections in 2022 will leverage CVE-2021-26411, followed by CVE-2016-0189 (29%), CVE-2019-0752 (10%) , CVE-2018-8174 (9%), and CVE-2020-0674 (6%).

Besides Dridex, Raccoon, and RedLine Stealer, notable malware families distributed using RIG EK include SmokeLoader, PureCrypter, IcedID, ZLoader, TrueBot, Ursnif, and Royal Ransomware.

Additionally, the exploit kit is said to have attracted traffic from 207 countries, reporting a 22% success rate in the last two months alone. Russia, Egypt, Mexico, Brazil, Saudi Arabia, Turkey, and several European countries have the highest number of breaches.

“Interestingly, exploit attempt rates were highest on Tuesdays, Wednesdays and Thursdays, with successful infections occurring on those same days,” the researchers explained.

PRODAFT also managed to visualize the kit’s control panel, stating that there are about six different users, two of which (admin and vipr) have administrative privileges. A user profile with the alias ‘pit’ or ‘pitty’ has sub-administrator rights, and his other three (lyr, ump, and test1) have user rights.

“admin” is also a dummy user primarily reserved for creating other users. The administration panel that works with subscriptions is controlled using the “pitty” user.

However, due to an operational security failure, PRODAFT de-anonymized the two attackers as their git servers were exposed. He is Oleg Lukyanov, a 31-year-old Uzbek national and a Russian man named Vladimir Nikonov.

We also confidently assessed that the developers of the Dridex malware had a “close relationship” with the RIG EK administrators, thanks to the additional documentation.

Configuration steps taken to “ensure smooth malware distribution”.

“Overall, RIG EK runs a very lucrative exploit-as-a-service business, with victims all over the world, a highly effective exploit arsenal and a large number of customers who constantly update their malware. ,” said the researchers.