Thor Premium Image

It's finally possible to have total, next-gen security against ransomware, malware and other threats.

Discover Thor Premium Home
and take advantage of the one-time deal.

Buy now Only

200

licenses left!
SECURITY EVANGELIST

The Neutrino EK campaign takedown that was announced 20 days ago left a big gap in the cyber crime market. And so did the arrest of Angler’s creators. But it didn’t take long for other cyber criminals to jump at the chance to increase their revenues.

Until the Neutrino malvertising rampage was stopped from targeting Internet users indiscriminately earlier this month, cyber attackers deployed massive campaigns that used malicious ads to spread CrypMIC ransomware through drive-by attacks. And now RIG exploit kit is picking up right where Neutrino left off.

Although there is no shortage of exploit kits on the market, one of the most popular ones was bound to gain market share. As a consequence, RIG is growing fast.

The current campaign uses the classic method of script injection to compromise legitimate web pages and turn them into vectors for malware distribution. The injected script redirects Internet traffic to multiple domains which have been hijacked and are now used for domain shadowing.

RIG exploit kit has been spotted in several campaigns that use an “iframe src” as the malicious inject to divert traffic to the arbitrary web pages created through domain shadowing. Some of these infected domains include [sanitized]:

arizonasboonstak.artofmusicstudio [.] com
pravde2lamineer.panichconsulting [.] com
laceriakoksverket.lovepassfilter [.] com

The current campaign is linked to Pseudo Darkleech, a type of infection that randomizes some of the elements to maintain the malware covert and detection rates low. As with all 2nd generation malware, the threat keeps changing, to avoid being caught by traditional antivirus:

The “Pseudo-Darkleech” infection constantly evolves. It became much stealthier than the original version. It experiments with new URL patterns in its iframes: at this point, it can be recognized by DNS shadowing and forum-like URLs. Since recently, the iframe is being injected via a creative obfuscated JavaScript code.

Source: the Sucuri blog

In the observed attacks, the payload is delivered by taking advantage of various recent vulnerabilities in Adobe Flash Player, a cyber criminals’ favourite.

The CrypMIC exploit is dropped into Windows temporary folder with a random file name. The file is run as the user that is logged in (example: with administrator rights), and instantly connects to a central C&C (Command & Control) server over TCP port 443.

Unfortunately, antivirus detection is very low, as a consequence of the attackers’ efforts to remain undetected for as long as possible. Only 4/57 solutions have picked it up so far, as you can see on VirusTotal.

crypmic-rig-exploit-kit-attack

This goes to show once more that you need to think of your cyber security in layers, and never underestimate cyber criminals and their tactics.

*This article features cyber intelligence provided by CSIS Security Group researchers.

Ransomware-Decryption-Tools
2018.02.28 INTERMEDIATE READ

Ransomware Decryption Tools – Unlock Your Data for Free

What is Ransomware
2017.05.15 SLOW READ

What is Ransomware – 15 Easy Steps To Protect Your System [Updated]

Exploit Kits as a Service
2016.01.18 SLOW READ

How Automation is Changing Cyber Crime: Exploits as a Service

Comments

Hey there! Do you know if they make any plugins to protect against hackers?
I’m kinda paranoid about losing everything I’ve worked hard on.
Any recommendations?

There are plenty of tools you can use, including plugins. Check out this list: https://heimdalsecurity.com/blog/free-cyber-security-tools-list/

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP
Thor Premium Image

It's finally possible to have total, next-gen security against ransomware, malware and other threats.

Discover Thor Premium Home
and take advantage of the one-time deal.

Buy now Only

200

licenses left!