RIG exploit kit crimewave infects millions

The latest version of the exploit kit is active and has infected 1.3 million people.


RIG exploit kit version 3.0 has been released and has already infected 1.25 million people at an average rate of 27,000 machines per day.

A few months ago, the RIG exploit kit's future was in jeopardy after an unhappy client leaked the kit's exploit code across the web. After source code relating to RIG 2.0 was leaked, the developer has been working hard to improve the latest version, which borrows the same concepts but also makes a number of environmental changes.

According to Trustwave researchers, the latest version, RIG 3.0, achieves the same high rates of infection as its predecessor. Since its release, the kit has sent the malicious RIG landing page to 3.5 million potential victims, achieving an infection rate of 1.25 million machines.

Trustwave researchers say the high rate of infection is due to Adobe Flash exploits -- some of which were revealed as a result of the Hacking Team leak -- such as CVE-2015-5119 and CVE-2015-5122, which have been integrated within the exploit kit.

See also: Free Hacking Team malware checker released

Once exploited, unpatched machines are infected with various malware payloads. However, the top payload is the Tofsee spambot which represents 70 percent of all infections. One customer, dubbed customer X, controls and distributes this spam bot.

Read this

10 steps to erase your digital footprint

How do you vanish online? Follow these 10 steps to get started.

Read More

Over the course of four weeks, customer X was able to infect approximately 500,000 machines. The research team says the "going rate" for spam campaigns is roughly $0.50 per 1,000 successfully sent emails, and the Tofsee bot is able to send up to one million emails per day.

Out of one million emails, approximately 2,000 were deemed successful in hoodwinking victims.

Trustwave researchers estimate this single customer is able to make between $60,000 -- $100,000 per month.

Trustwave says that 90 percent of traffic hitting the RIG exploit kit is the result of malvertising -- malicious code embedded within advertisements that redirect visitors unknowingly to the campaign. The majority of large companies use advertising networks in some way to support online domains, and may turn to affiliates which offer ads for low prices.

This, in turn, is a perfect way for RIG to grab traffic hits without being detected and without the knowledge of large, legitimate websites.

As an example, buy-targeted-traffic.com offers 1,000 ad impressions for as low as 20 cents, a service ripe for abuse by exploit kit operators.

While RIG version 3.0 is similar to its predecessor, there are some changes of note.

The virtual dedicated server (VDS), the middle layer of RIG 3.0, acts as a proxy layer between exploits and the administrative layer and is basically unchanged despite the source code leak. This type of infrastructure is highly effective and is only detected as malicious one percent of the time on VirusTotal. However, RIG 3.0 only uses a single VDS server, which may suggest the reseller model is no longer in use in the exploit kit's distribution network.

"Though we can't know for sure what the reason for this change is, it seems reasonable that this decision was at least partly motivated by the fact that a reseller was the cause for the RIG 2.0 leak," Trustwave says.

The URL pattern of RIG has also been tweaked, and vulnerabilities which once allowed resellers to steal -- and leak -- the RIG source code have been patched. Users can no longer access internal files hosted on RIG's backend server and Cloudflare is being used to protect RIG 3.0 from distributed denial-of-service (DDoS) attacks.

"It seems that exploit kits, much like the mythological hydra, just keep coming back. Chopping off one head merely grows two new ones to replace it. They are growing more accurate, more sophisticated, and worst of all, more widespread," Trustwave says.

Following the arrest of Paunch, the alleged creator of the Blackhole exploit kit last year, other packages including Siesta and Sweet Orange have surged in popularity. When we consider how easily exploit kits can be used to dupe web users out of their personal data or financial information, it is unlikely exploit kits are going to disappear any time soon.

Read on: Top picks

In pictures:


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All