RIG

RIG was discovered in 2014 and remains one of the most active exploits kits today. In February 2015, a security researcher from MalwareTech reported that an underground reseller leaked RIG’s source code after being banned from a hacker forum for trying to scam customers. However, on August 3, 2015, Trustwave reported that the author of the original RIG EK released an updated version, labeled RIG 3.0, which maintains the exploitation percentage of the previous version while vastly increasing the number of times it exposes victims to its landing page. After monitoring RIG 3.0 over a six-week period, Trustwave SpiderLabs researchers observed an average infection rate of 27,000 machines per day, totaling over 1.3 million infections worldwide.

RIG 3.0 targets vulnerabilities in Java, Internet Explorer, Flash, and Silverlight, and spreads through malvertisements on web pages. According to Heimdel Security, more than 50 percent of Windows 7 devices running Internet Explorer 9 are exploited by RIG EK through two Flash vulnerabilities (CVE-2015-5119 and CVE-2015-5122). RIG EK has recently been seen spreading through drive-by attacks using Google search engine optimization (SEO) poisoning and malvertising. In December 2015, Cyphort discovered RIG was infecting victims with Radamant ransomware.

After the April-May 2016 decrease in Angler and Nuclear EK activity, RIG EK activity has increased, making it the third-most used EK at about 15 percent of all EK activity.

In June, researchers from Palo Alto Networks discovered the RIG EK distributing the CryptoBit ransomware, also referred to as "CriptoBit" and "Mobef”.

Reporting

  • January 2016: RIG EK activity increase during Angler EK break. (CSO)
  • June 2016: RIG distributes the CyptoBit ransomware. (Palo Alto Networks)
  • June 2016: Increase in RIG EK activity. (Threatpost)
  • November 2016: A variant of RIG, labeled "RIG-Empire Pack" or "RIG-E", is distributing the CryptoLuck ransomware to victims. (Bleeping Computer)
  • November 2016: A variant of RIG, labeled  "RIG-V” for “VIP", is distributing the Cerber ransomware. (Bleeping Computer)
  • December 2016: For the fourth month in a row, RIG was the top EK in December, accounting for 34.8% of overall EK activity that month. All other EKs accounted for small percentages of the EK landscape. (Security Week)
  • January 2017: The EK is distributing a new CryptoMix/CrypMix variant CryptoShield 1.0 ransomware. (Bleeping Computer)
  • January 2017: RIG is distributing Sage ransomware. (Bleeping Computer)
  • January 2017: RIG-V is now distributing the Spora ransomware. (Bleeping Computer)
  • January 2017: The latest version of the RIG exploit kit is taking advantage of outdated versions of applications such as Flash, Internet Explorer, or Microsoft Edge to distribute the Cerber ransomware. (ISS Source)
  • February 2017: CryptoShield infections delivered by RIG have increased in early 2017. (ThreatPost)
  • March 2017: New RIG landing pages hosted in South America, Southeast Asia, and Australia, signifying an effort to increase its target demographics and potential victim pool. (SCmagazine)
  • March 2017: Distributing the CryptoMix variant, Revenge Ransomware. (BleepingComputer)
  • March 2017: In a possible distribution test, compromised sites are directing victims to the RIG EK that then identifies vulnerabilities it can use to deliver the new PyCL Ransomware. (Bleeping Computer)
  • March 2017: RIG EK is distributing the Ramnit trojan in a new malware campaign, dubbed “Seamless.” The cybercriminals compromise websites and inject malicious iframes that attempt to deliver the malware. (Cisco)
  • April 2017: RIG EK is distributing the new Matrix ransomware targeting Windows operating systems. (Bleeping Computer)
  • April 2017: RIG-V is distributing the Moker trojan. (MalwareBytes)
  • May 2017: Multiple Malvertising campaigns deliver the RIG EK which distributes LatentBot, Philadelphia ransomware, and Pony and Ramnit trojans. (MalwareBreakdown)
  • June 2017: RIG operators have suffered a major setback as tens of thousands of shadow domains were shut down and removed from the RIG EK infrastructure following a joint operation involving various industry leaders, dubbed "Shadowfall." (BleepingComputer)
  • June 2017: RIG EK usage declines as browsers security has improved. (BleepingComputer)
  • July 2017: French domain registrar Gandi had 751 domains hijacked and DNS records changed to redirect traffic to websites hosting the RIG and Neutrino EKs. (BleepingComputer)

Technical Details

  • Security researcher for RSA provides technical details on the RIG EK, available here.

One example of the Rig EK back-end infrastructure. Image Source: SCMagazine