Researchers Share New Insights Into RIG Exploit Kit Malware’s Operations

The RIG exploit kit (EK) touched an all-time high successful exploitation rate of nearly 30% in 2022, new findings reveal.

“RIG EK is a financially-motivated program that has been active since 2014,” Swiss cybersecurity company PRODAFT said in an exhaustive report shared with The Hacker News.

“Although it has yet to substantially change its exploits in its more recent activity, the type and version of the malware they distribute constantly change. The frequency of updating samples ranges from weekly to daily updates.”

Exploit kits are programs used to distribute malware to large numbers of victims by taking advantage of known security flaws in commonly-used software such as web browsers.

The fact that RIG EK runs as a service model means threat actors can financially compensate the RIG EK administrator for installing malware of their choice on victim machines. The RIG EK operators primarily employ malvertising to ensure a high infection rate and large-scale coverage.

As a result, visitors using a vulnerable version of a browser to access an actor-controlled web page or a compromised-but-legitimate website are redirected using malicious JavaScript code to a proxy server, which, in turn, communicates with an exploit server to deliver the appropriate browser exploit.

The exploit server, for its part, detects the user’s browser by parsing the User-Agent string and returns the exploit that “matches the pre-defined vulnerable browser versions.”

“The artful design of the Exploit Kit allows it to infect devices with little to no interaction from the end user,” the researchers said. “Meanwhile, its use of proxy servers makes infections harder to detect.”

Since arriving on the scene in 2014, RIG EK has been observed delivering a wide range of financial trojans, stealers, and ransomware such as AZORult, CryptoBit, Dridex, Raccoon Stealer, and WastedLoader. The operation was dealt a huge blow in 2017 following a coordinated action that dismantled its infrastructure.

Recent RIG EK campaigns have targeted a memory corruption vulnerability impacting Internet Explorer (CVE-2021-26411, CVSS score: 8.8) to deploy RedLine Stealer.

Other browser flaws weaponized by the malware include CVE-2013-2551, CVE-2014-6332, CVE-2015-0313, CVE-2015-2419, CVE-2016-0189, CVE-2018-8174, CVE-2019-0752, and CVE-2020-0674.

According to data collected by PRODAFT, 45% of the successful infections in 2022 leveraged CVE-2021-26411, followed by CVE-2016-0189 (29%), CVE-2019-0752 (10%), CVE-2018-8174 (9%), and CVE-2020-0674 (6%).

Besides Dridex, Raccoon, and RedLine Stealer, some of the notable malware families distributed using RIG EK are SmokeLoader, PureCrypter, IcedID, ZLoader, TrueBot, Ursnif, and Royal ransomware.

Furthermore, the exploit kit is said to have attracted traffic from 207 countries, reporting a 22% success rate over the past two months alone. The most number of compromises are located in Russia, Egypt, Mexico, Brazil, Saudi Arabia, Turkey, and several countries across Europe.

“Interestingly enough, the exploit try rates were the highest on Tuesday, Wednesday and Thursday – with successful infections taking place on the same days of the week,” the researchers explained.

PRODAFT, which also managed to gain visibility into the kit’s control panel, said there are about six different users, two of whom (admin and vipr) have admin privileges. A user profile with the alias “pit” or “pitty” has subadmin permissions, and three others (lyr, ump, and test1) have user privileges.

“admin” is also a dummy user mainly reserved for creating other users. The management panel, which works with a subscription, is controlled using the “pitty” user.

However, an operational security blunder that exposed the git server led PRODAFT to de-anonymize two of the threat actors: a 31-year-old Uzbekistan national named Oleg Lukyanov and a Russian who goes by the name Vladimir Nikonov.

It also assessed with high confidence that the developer of the Dridex malware has a “close relationship” with the RIG EK’s administrators, owing to the additional manual

configuration steps taken to “ensure that the malware was distributed smoothly.”

“Overall, RIG EK runs a very fruitful business of exploit-as-a-service, with victims across the globe, a highly effective exploit arsenal and numerous customers with constantly updating malware,” the researchers said.