The RIG Exploit Kit is currently in its most successful phase, attempting approximately 2,000 attacks per day and succeeding approximately 30% of the time, the highest rate in the service’s long operational history.
By exploiting relatively old Internet Explorer vulnerabilities, RIG EK has been observed spreading various malware families, including Dridex, SmokeLoader, and RaccoonStealer.
According to a detailed report by Prodaft, whose researchers gained access to the service’s backend web panel, the exploit kit remains a significant and large-scale threat to individuals and organizations.
The dirty history of RIG EK
RIG EK was first released eight years ago, in 2014, and advertised as an “exploit-as-a-service” leased to other malware operators to proliferate their malware onto vulnerable devices.
The RIG exploit kit is a set of malicious JavaScript scripts that threat actors embed into compromised or malicious websites and then promote through malvertising.
When a user visits these pages, the malicious scripts run and try to exploit various vulnerabilities in the browser to automatically install malware on the device.
In 2015, the authors of the kit released the second major version of the kit, laying the foundation for larger and more successful surgeries.
However, in 2017, RIG suffered a major blow after a coordinated mining operation that wiped out large parts of its infrastructure and severely disrupted its operations.
In 2019, RIG returned, this time focusing on ransomware distribution to help Sodinokibi (REvil), Nemty, and ERIS ransomware compromise organizations with data-encrypting payloads.
In 2021, the owner of RIG announced that the service would be discontinued. However, RIG 2.0 returned in 2022 with two new exploits (CVE-2020-0674 and CVE-2021-26411 in Internet Explorer) and achieved an unprecedented rate of successful security breaches.
In April 2022, Bitdefender reported that RIG was used to drop Redline Information Stealer malware on victims.
While many of the exploits targeted by RIG EK apply to Internet Explorer, which Microsoft Edge has long replaced, the browser is still used by millions of enterprise devices, which is a prime target.
Current attack volume
According to Prodaft, RIG EK currently targets 207 countries, launches an average of 2,000 attacks per day, and has a current success rate of 30%. That rate was 22% before the exploit kit reappeared with two new exploits, says Prodaft.
Infection attempts and successful intrusions for 2022 (Prodaft)
As the heat map published in the report shows, Germany, Italy, France, Russia, Turkey, Saudi Arabia, Egypt, Algeria, Mexico and Brazil are the most affected countries. However, there are victims worldwide.
Sacrifice of RIG EK (Prodaft)
The highest success rate is CVE-2021-26411 with a 45% success rate, followed by CVE-2016-0189 with 29% and CVE-2019-0752 with 10%.
Exploits used by RIG EK and their success rate (Prodaft)
CVE-2021-26411 is an Internet Explorer fatal memory corruption bug fixed by Microsoft in March 2021 that was triggered by viewing a maliciously crafted website.
Vulnerabilities CVE-2016-0189 and CVE-2019-0752 also reside in Internet Explorer and allow remote code execution in the browser.
CISA released an active exploitation alert for CVE-2019-0752 in February 2022 to warn system administrators that the vulnerability is still being exploited and to apply available security updates.
A variety of malicious payloads
Currently, RIG EK primarily drives information-stealing and first-access malware, with Dridex being the most common (34%), followed by SmokeLoader (26%), RaccoonStealer (20%), Zloader (2.5%) and Truebot ( 1.8%). and IcedID (1.4%).
Types of malware currently distributed by RIG EK (Prodaft).
Of course, the types of malware distributed by RIG EK are constantly changing depending on which cyber criminals are using the service.
Prodaft has also previously observed the spread of Redline, RecordBreaker, PureCrypter, Gozi, Royal Ransomware, and UrSnif.
The proliferation of the Dridex banking Trojan is particularly interesting because there are indications that the RIG operators have taken measures to ensure smooth proliferation.
“The RIG administrator had performed additional manual configuration steps to ensure the malware was distributed smoothly,” Prodaft explains in the report.
“In view of all of these facts, we assume with great confidence that the developer of the Dridex malware has a close relationship with the administrators of RIG.”
It should be noted that a year ago Dridex was associated with Entropy ransomware attacks, so RIG EK breaches could lead to data encryption incidents.
The RIG EK remains a significant threat to individuals and organizations using outdated software, threatening to infect their systems with stealthy information thieves who can steal highly sensitive data.
However, RIG EK’s focus on Internet Explorer may mean that the service will soon become obsolete, as Microsoft permanently retired Internet Explorer in February 2023 and redirected users to Microsoft Edge.
