The RIG Exploit Kit is undergoing its most successful period, attempting roughly 2,000 intrusions daily and succeeding in about 30% of cases, the highest ratio in the service’s long operational history.
By exploiting relatively old Internet Explorer vulnerabilities, RIG EK has been seen distributing various malware families, including Dridex, SmokeLoader, and RaccoonStealer.
According to a detailed report by Prodaft, whose researchers gained access to the service’s backend web panel, the exploit kit remains a significant large-scale threat to individuals and organizations.
RIG EK’s sordid history
RIG EK was first released eight years ago, in 2014, and promoted as an “exploit-as-a-service” rented to other malware operators to spread their malware on vulnerable devices.
When a user visits these sites, the malicious scripts will be executed and attempt to exploit various vulnerabilities in the browser to install malware on the device automatically.
In 2015, the kit’s authors released the second major version of the kit, laying the ground for more extensive and successful operations.
In 2017 though, RIG suffered a significant blow following a coordinated takedown action that wiped out large parts of its infrastructure, severely disrupting its operations.
In 2019, RIG returned, this time focusing on ransomware distribution, helping Sodinokibi (REvil), Nemty, and ERIS ransomware, compromise organizations with data-encrypting payloads.
In 2021, RIG’s owner announced the service would shut down; however, RIG 2.0 returned in 2022 with two new exploits (CVE-2020-0674 and CVE-2021-26411 in Internet Explorer), reaching an all-time high successful breach ratio.
In April 2022, Bitdefender reported that RIG was being used to drop the Redline information-stealer malware onto victims.
While many of the exploits targeted by RIG EK are for Internet Explorer, which Microsoft Edge has long replaced, the browser is still used by millions of Enterprise devices, which are a primary target.
Current attack volumes
Prodaft says RIG EK currently targets 207 countries, launching an average of 2,000 attacks per day and having a current success rate of 30%. This rate was 22% before the exploit kit resurfaced with two new exploits, says Prodaft.
As the heatmap published in the report shows, the most impacted countries are Germany, Italy, France, Russia, Turkey, Saudi Arabia, Egypt, Algeria, Mexico, and Brazil. However, there are victims worldwide.
The highest success rate is brought by CVE-2021-26411, achieving a 45% successful exploitation ratio, followed by CVE-2016-0189 with 29% and CVE-2019-0752 with 10%.
CVE-2021-26411 is a high-severity memory corruption flaw in Internet Explorer that Microsoft fixed in March 2021, triggered by viewing a maliciously crafted website.
The CVE-2016-0189 and CVE-2019-0752 vulnerabilities are also in Internet Explorer, allowing remote code execution in the browser.
CISA published an active exploitation alert for CVE-2019-0752 in February 2022, warning system administrators the vulnerability is still being exploited and to apply available security updates.
A variety of malicious payloads
Currently, RIG EK primarily pushes information-stealing and initial access malware, with Dridex being the most common (34%), followed by SmokeLoader (26%), RaccoonStealer (20%), Zloader (2.5%), Truebot (1.8%), and IcedID (1.4%).
Of course, the types of malware spread by RIG EK constantly change depending on which cybercriminals choose to use the service.
Prodaft has previously also observed the distribution of Redline, RecordBreaker, PureCrypter, Gozi, Royal Ransomware, and UrSnif.
Distributing the Dridex banking trojan is particularly interesting because there are signs that the RIG operators have taken action to ensure its distribution is problem-free.
“The RIG administrator had taken additional manual configuration steps to ensure that the malware was distributed smoothly,” explains Prodaft in the report.
“Considering all these facts, we assess with high confidence that the developer of Dridex malware has a close relationship with the RIG’s admins.”
It should be noted that Dridex was linked to Entropy ransomware attacks a year ago, so RIG EK breaches could lead to data-encryption incidents.
The RIG EK remains a significant threat to individuals and organizations using outdated software, threatening to infect their systems with stealthy information stealers that can siphon highly-sensitive data.
However, RIG EK’s focus on Internet Explorer may cause the service to become soon obsolete as Microsoft finally retired Internet Explorer in February 2023, redirecting users to Microsoft Edge.