The RIG exploit package (EK) touched an all-time excessive profitable exploitation fee of almost 30% in 2022, new findings reveal.
“RIG EK is a financially-motivated program that has been energetic since 2014,” Swiss cybersecurity firm PRODAFT stated in an exhaustive report shared with The Hacker Information.
“Though it has but to considerably change its exploits in its more moderen exercise, the sort and model of the malware they distribute always change. The frequency of updating samples ranges from weekly to day by day updates.”
Exploit kits are applications used to distribute malware to giant numbers of victims by benefiting from identified safety flaws in commonly-used software program reminiscent of net browsers.
The truth that RIG EK runs as a service mannequin means menace actors can financially compensate the RIG EK administrator for putting in malware of their selection on sufferer machines. The RIG EK operators primarily make use of malvertising to make sure a excessive an infection fee and large-scale protection.
Consequently, guests utilizing a susceptible model of a browser to entry an actor-controlled net web page or a compromised-but-legitimate web site are redirected utilizing malicious JavaScript code to a proxy server, which, in flip, communicates with an exploit server to ship the suitable browser exploit.
The exploit server, for its half, detects the consumer’s browser by parsing the Person-Agent string and returns the exploit that “matches the pre-defined susceptible browser variations.”
“The clever design of the Exploit Package permits it to contaminate units with little to no interplay from the tip consumer,” the researchers stated. “In the meantime, its use of proxy servers makes infections more durable to detect.”
Since arriving on the scene in 2014, RIG EK has been noticed delivering a variety of monetary trojans, stealers, and ransomware reminiscent of AZORult, CryptoBit, Dridex, Raccoon Stealer, and WastedLoader. The operation was dealt an enormous blow in 2017 following a coordinated motion that dismantled its infrastructure.
Latest RIG EK campaigns have focused a reminiscence corruption vulnerability impacting Web Explorer (CVE-2021-26411, CVSS rating: 8.8) to deploy RedLine Stealer.
Different browser flaws weaponized by the malware embrace CVE-2013-2551, CVE-2014-6332, CVE-2015-0313, CVE-2015-2419, CVE-2016-0189, CVE-2018-8174, CVE-2019-0752, and CVE-2020-0674.
In response to information collected by PRODAFT, 45% of the profitable infections in 2022 leveraged CVE-2021-26411, adopted by CVE-2016-0189 (29%), CVE-2019-0752 (10%), CVE-2018-8174 (9%), and CVE-2020-0674 (6%).
In addition to Dridex, Raccoon, and RedLine Stealer, among the notable malware households distributed utilizing RIG EK are SmokeLoader, PureCrypter, IcedID, ZLoader, TrueBot, Ursnif, and Royal ransomware.
Moreover, the exploit package is claimed to have attracted visitors from 207 nations, reporting a 22% success fee over the previous two months alone. Probably the most variety of compromises are situated in Russia, Egypt, Mexico, Brazil, Saudi Arabia, Turkey, and a number of other nations throughout Europe.
“Apparently sufficient, the exploit strive charges had been the best on Tuesday, Wednesday and Thursday – with profitable infections going down on the identical days of the week,” the researchers defined.
PRODAFT, which additionally managed to realize visibility into the package’s management panel, stated there are about six completely different customers, two of whom (admin and vipr) have admin privileges. A consumer profile with the alias “pit” or “pitty” has subadmin permissions, and three others (lyr, ump, and test1) have consumer privileges.
“admin” can be a dummy consumer primarily reserved for creating different customers. The administration panel, which works with a subscription, is managed utilizing the “pitty” consumer.
Nevertheless, an operational safety blunder that uncovered the git server led PRODAFT to de-anonymize two of the menace actors: a 31-year-old Uzbekistan nationwide named Oleg Lukyanov and a Russian who goes by the title Vladimir Nikonov.
It additionally assessed with excessive confidence that the developer of the Dridex malware has a “shut relationship” with the RIG EK’s directors, owing to the extra guide
configuration steps taken to “make sure that the malware was distributed easily.”
“General, RIG EK runs a really fruitful enterprise of exploit-as-a-service, with victims throughout the globe, a extremely efficient exploit arsenal and quite a few clients with always updating malware,” the researchers stated.
