Changes in the exploit kit market indicate that currently RIG is the most deployed EK service. Apparently, RIG is taking the place of Neutrino. Since the death of Angler, the two exploit kits have been battling for the lead positon on the malware market. However, RIG is currently on the top evident by the number and intensity of malvertising campaigns.
According to multiple security vendors such as Malwarebytes, Cisco Talos, and Heimdal Security, attacks involving the RIG EK have increased.
Malwarebytes researchers have observed a malvertising incident on the popular website answers.com which has about 2 million visits daily. The scenario was very similar to both Angler and Neutrino but it was in fact RIG doing the work. It used the domain shadowing technique and the HTTPS open redirector from Rocket Fuel.
Is RIG Replacing Neutrino?
In early September we [Malwarebytes] noticed a change in how RIG drops its malware payload. Rather than using theiexplore.exe process, we spotted instances where wscript.exe was the parent process of the dropped binary. This may seem like a minor difference, but it has been Neutrino’s trademark for a long time and used as a way to bypass certain proxies.
Another indication that RIG has taken over the exploit kit market is the payload of several operations – the CrypMIC ransomware previously dropped by Neutrino.
What Is Domain Shadowing?
Shortly said, domain shadowing is the process of infiltrating multiple domain registrant accounts to generate subdomains for malicious purposes. It’s not something new on the malicious horizon. Because the tactic is quite effective, malware operators are employing it to bypass traditional defense mechanisms at the gateway by cloaking the ad traffic in an encrypted channel.
Since malvertising does not require any user interaction to infect your system, you should keep your computer fully up to date and uninstall unnecessary programs. Running an additional layer of protection, such as exploit mitigation software, ensures that drive-by download attacks leveraging zero-day vulnerabilities are also stopped.
A recent Digital Shadows report indicates that the exploit kit market is not that crowded anymore, and that malware operators don’t have much choice. That would also explain the high rate of attacks built on RIG.
The exploit kits still active today are RIG, Neutrino, Magnitude, Sundown, and Hunter.