Security Alert: RIG Exploit Kit Speeds Up after Neutrino, Spreads CrypMIC ransomware
Cyber crime is like the mythological Hydra: cut one head and another grows back (or replaces it)
The Neutrino EK campaign takedown that was announced 20 days ago left a big gap in the cyber crime market. And so did the arrest of Angler’s creators. But it didn’t take long for other cyber criminals to jump at the chance to increase their revenues.
Until the Neutrino malvertising rampage was stopped from targeting Internet users indiscriminately earlier this month, cyber attackers deployed massive campaigns that used malicious ads to spread CrypMIC ransomware through drive-by attacks. And now RIG exploit kit is picking up right where Neutrino left off.
Although there is no shortage of exploit kits on the market, one of the most popular ones was bound to gain market share. As a consequence, RIG is growing fast.
The current campaign uses the classic method of script injection to compromise legitimate web pages and turn them into vectors for malware distribution. The injected script redirects Internet traffic to multiple domains which have been hijacked and are now used for domain shadowing.
RIG exploit kit has been spotted in several campaigns that use an “iframe src” as the malicious inject to divert traffic to the arbitrary web pages created through domain shadowing. Some of these infected domains include [sanitized]:
arizonasboonstak.artofmusicstudio [.] com
pravde2lamineer.panichconsulting [.] com
laceriakoksverket.lovepassfilter [.] com
The current campaign is linked to Pseudo Darkleech, a type of infection that randomizes some of the elements to maintain the malware covert and detection rates low. As with all 2nd generation malware, the threat keeps changing, to avoid being caught by traditional antivirus:
Source: the Sucuri blog
In the observed attacks, the payload is delivered by taking advantage of various recent vulnerabilities in Adobe Flash Player, a cyber criminals’ favourite.
The CrypMIC exploit is dropped into Windows temporary folder with a random file name. The file is run as the user that is logged in (example: with administrator rights), and instantly connects to a central C&C (Command & Control) server over TCP port 443.
Unfortunately, antivirus detection is very low, as a consequence of the attackers’ efforts to remain undetected for as long as possible. Only 4/57 solutions have picked it up so far, as you can see on VirusTotal.
This goes to show once more that you need to think of your cyber security in layers, and never underestimate cyber criminals and their tactics.
*This article features cyber intelligence provided by CSIS Security Group researchers.