Early 2015, part of the source code for the 2.0 version of the RIG exploit kit was leaked online due to a dispute between the main developer and a reseller. According to the researchers at Trustwave, the developer has recently released a 3.0 version of the RIG exploit kit which includes some significant improvements to avoid the analysis of the source code.
The developer of the version 3.0 RIG exploit kit has patched the vulnerabilities that allowed the reseller to steal the source code. The experts discovered that the new variant doesn’t allow unauthenticated users to access internal files hosted on the backend server.
The RIG developer has chosen CloudFlare to protect the control panel of its architecture against DDoS attacks. The researchers also discovered that payloads are no longer stored in a folder on the server to prevent users from uploading backdoors.
The researchers that investigated on the 3.0 version of the RIG exploit kit succeeded in access administration servers used by two RIG instances. The new variant of RIG exploit kit is responsible for more than 3.5 million infection attempts.
“The screenshots above, taken from the two RIG instances we observed, show the up-to-date state of RIG. It is evident from this overview that not only did RIG 3.0 manage to maintain the exploitation percentage of RIG 2.0, it also managed to vastly increase its number of hits- reaching the high volume of over 3.5 million hits recorded thus far in both instances combined. ” states the post published by Trustwave.
According to the researchers over 1.3 million of these infections were successful, which corresponds to a 34 percent success rate. The majority of victims is located in Brazil (450,529 infections) and Vietnam (302,705). Other infections were observed in the US (45,000) , UK (10,000) , and Canada (4,000).
The number of new infections per day is 27,000 on average, the majority of victims is infected with the Tofsee spam bot, only one of the RIG 3.0 customers distributes Tofsee and experts have estimated that his revenues were between $60,000 and $100,000 per month.
The experts highlighted that the RIG exploit kit were prevalently served through malvertising campaign, which used a number of websites ranked in Alexa’s top 3000.
“Our investigation shows that 90% of the traffic flowing into the various campaigns of the RIG exploit kit were a result of malvertisement (malicious ads). Apparently, according to the referers, many large websites were abused by malvertising campaigns in order to redirect visitors to the RIG exploit kit, these include large news sites, investment consulting firms, IT solution provides, etc. – all of them ranked in Alexa’s top 3000.” continues the post.
(Security Affairs – RIG Exploit Kit 3.0, cybercrime)