CIO News Hubb
Advertisement
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact
No Result
View All Result
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact
No Result
View All Result
CIO News Hubb
No Result
View All Result
Home Information Security

Researchers Share New Insights Into RIG Exploit Kit Malware’s Operations

admin by admin
February 27, 2023
in Information Security


The RIG exploit kit (EK) touched an all-time high successful exploitation rate of nearly 30% in 2022, new findings reveal.

“RIG EK is a financially-motivated program that has been active since 2014,” Swiss cybersecurity company PRODAFT said in an exhaustive report shared with The Hacker News.

“Although it has yet to substantially change its exploits in its more recent activity, the type and version of the malware they distribute constantly change. The frequency of updating samples ranges from weekly to daily updates.”

Exploit kits are programs used to distribute malware to large numbers of victims by taking advantage of known security flaws in commonly-used software such as web browsers.

The fact that RIG EK runs as a service model means threat actors can financially compensate the RIG EK administrator for installing malware of their choice on victim machines. The RIG EK operators primarily employ malvertising to ensure a high infection rate and large-scale coverage.

As a result, visitors using a vulnerable version of a browser to access an actor-controlled web page or a compromised-but-legitimate website are redirected using malicious JavaScript code to a proxy server, which, in turn, communicates with an exploit server to deliver the appropriate browser exploit.

The exploit server, for its part, detects the user’s browser by parsing the User-Agent string and returns the exploit that “matches the pre-defined vulnerable browser versions.”

“The artful design of the Exploit Kit allows it to infect devices with little to no interaction from the end user,” the researchers said. “Meanwhile, its use of proxy servers makes infections harder to detect.”

Since arriving on the scene in 2014, RIG EK has been observed delivering a wide range of financial trojans, stealers, and ransomware such as AZORult, CryptoBit, Dridex, Raccoon Stealer, and WastedLoader. The operation was dealt a huge blow in 2017 following a coordinated action that dismantled its infrastructure.

RIG Exploit Kit

Recent RIG EK campaigns have targeted a memory corruption vulnerability impacting Internet Explorer (CVE-2021-26411, CVSS score: 8.8) to deploy RedLine Stealer.

Other browser flaws weaponized by the malware include CVE-2013-2551, CVE-2014-6332, CVE-2015-0313, CVE-2015-2419, CVE-2016-0189, CVE-2018-8174, CVE-2019-0752, and CVE-2020-0674.

According to data collected by PRODAFT, 45% of the successful infections in 2022 leveraged CVE-2021-26411, followed by CVE-2016-0189 (29%), CVE-2019-0752 (10%), CVE-2018-8174 (9%), and CVE-2020-0674 (6%).

Is Your Business Prepared for the Top SaaS 🛡️ Security Challenges of 2023? Learn How to Tackle Them – Join Our Webinar Now!

Besides Dridex, Raccoon, and RedLine Stealer, some of the notable malware families distributed using RIG EK are SmokeLoader, PureCrypter, IcedID, ZLoader, TrueBot, Ursnif, and Royal ransomware.

Furthermore, the exploit kit is said to have attracted traffic from 207 countries, reporting a 22% success rate over the past two months alone. The most number of compromises are located in Russia, Egypt, Mexico, Brazil, Saudi Arabia, Turkey, and several countries across Europe.

RIG Exploit Kit

“Interestingly enough, the exploit try rates were the highest on Tuesday, Wednesday and Thursday – with successful infections taking place on the same days of the week,” the researchers explained.

PRODAFT, which also managed to gain visibility into the kit’s control panel, said there are about six different users, two of whom (admin and vipr) have admin privileges. A user profile with the alias “pit” or “pitty” has subadmin permissions, and three others (lyr, ump, and test1) have user privileges.

“admin” is also a dummy user mainly reserved for creating other users. The management panel, which works with a subscription, is controlled using the “pitty” user.

However, an operational security blunder that exposed the git server led PRODAFT to de-anonymize two of the threat actors: a 31-year-old Uzbekistan national named Oleg Lukyanov and a Russian who goes by the name Vladimir Nikonov.

It also assessed with high confidence that the developer of the Dridex malware has a “close relationship” with the RIG EK’s administrators, owing to the additional manual

configuration steps taken to “ensure that the malware was distributed smoothly.”

“Overall, RIG EK runs a very fruitful business of exploit-as-a-service, with victims across the globe, a highly effective exploit arsenal and numerous customers with constantly updating malware,” the researchers said.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
Previous Post

AWS Melbourne Region has achieved HCF Strategic Certification

Next Post

Innateresponsibility

Related Posts

Information Security

Spyware Vendors Caught Exploiting Zero-Day Vulnerabilities on Android and iOS Devices

by admin
March 29, 2023
Information Security

How to use Amazon GuardDuty and AWS WAF v2 to automatically block suspicious hosts

by admin
March 29, 2023
Information Security

Microsoft Introduces GPT-4 AI-Powered Security Copilot Tool to Empower Defenders

by admin
March 28, 2023
Information Security

20-Year-Old BreachForums Founder Faces Up to 5 Years in Prison

by admin
March 27, 2023
Information Security

Microsoft Warns of Stealthy Outlook Vulnerability Exploited by Russian Hackers

by admin
March 26, 2023
Next Post

Innateresponsibility

Recommended

Innatelogicalfluency ~ Future of CIO

March 30, 2023

Spyware Vendors Caught Exploiting Zero-Day Vulnerabilities on Android and iOS Devices

March 29, 2023

How to use Amazon GuardDuty and AWS WAF v2 to automatically block suspicious hosts

March 29, 2023

Influencing ~ Future of CIO

March 29, 2023

Microsoft Introduces GPT-4 AI-Powered Security Copilot Tool to Empower Defenders

March 28, 2023

Illogic ~ Future of CIO

March 28, 2023

© CIO News Hubb All rights reserved.

Use of these names, logos, and brands does not imply endorsement unless specified. By using this site, you agree to the Privacy Policy and Terms & Conditions.

Navigate Site

  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact

Newsletter Sign Up

No Result
View All Result
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact

© 2022 CIO News Hubb All rights reserved.