The Neutrino EK campaign takedown that was announced 20 days ago left a big gap in the cyber crime market. And so did the arrest of Angler’s creators. But it didn’t take long for other cyber criminals to jump at the chance to increase their revenues.

Until the Neutrino malvertising rampage was stopped from targeting Internet users indiscriminately earlier this month, cyber attackers deployed massive campaigns that used malicious ads to spread CrypMIC ransomware through drive-by attacks. And now RIG exploit kit is picking up right where Neutrino left off.

Although there is no shortage of exploit kits on the market, one of the most popular ones was bound to gain market share. As a consequence, RIG is growing fast.

The current campaign uses the classic method of script injection to compromise legitimate web pages and turn them into vectors for malware distribution. The injected script redirects Internet traffic to multiple domains which have been hijacked and are now used for domain shadowing.

RIG exploit kit has been spotted in several campaigns that use an “iframe src” as the malicious inject to divert traffic to the arbitrary web pages created through domain shadowing. Some of these infected domains include [sanitized]:

arizonasboonstak.artofmusicstudio [.] com
pravde2lamineer.panichconsulting [.] com
laceriakoksverket.lovepassfilter [.] com

The current campaign is linked to Pseudo Darkleech, a type of infection that randomizes some of the elements to maintain the malware covert and detection rates low. As with all 2nd generation malware, the threat keeps changing, to avoid being caught by traditional antivirus:

The “Pseudo-Darkleech” infection constantly evolves. It became much stealthier than the original version. It experiments with new URL patterns in its iframes: at this point, it can be recognized by DNS shadowing and forum-like URLs. Since recently, the iframe is being injected via a creative obfuscated JavaScript code.

Source: the Sucuri blog

In the observed attacks, the payload is delivered by taking advantage of various recent vulnerabilities in Adobe Flash Player, a cyber criminals’ favourite.

The CrypMIC exploit is dropped into Windows temporary folder with a random file name. The file is run as the user that is logged in (example: with administrator rights), and instantly connects to a central C&C (Command & Control) server over TCP port 443.

Unfortunately, antivirus detection is very low, as a consequence of the attackers’ efforts to remain undetected for as long as possible. Only 4/57 solutions have picked it up so far, as you can see on VirusTotal.


This goes to show once more that you need to think of your cyber security in layers, and never underestimate cyber criminals and their tactics.

*This article features cyber intelligence provided by CSIS Security Group researchers.

These Free Ransomware Decryption Tools Are Your Key to Freedom [Updated 2023]

Ransomware Explained. What It Is and How It Works

How Automation is Changing Cyber Crime: Exploits as a Service

Pairazaman Yadira on December 4, 2021 at 2:32 am

Muchas gracias por la informacion. muy recomendable! Un cordial saludo!

Hey very interesting blog!

Hey there! Do you know if they make any plugins to protect against hackers?
I’m kinda paranoid about losing everything I’ve worked hard on.
Any recommendations?

There are plenty of tools you can use, including plugins. Check out this list:

Leave a Reply

Your email address will not be published. Required fields are marked *