When an exploit kit fades away, it usually doesn’t take long for another to take its place in the limelight, especially when the kit is an integral part of the ransomware ecosystem.
That’s exactly what’s happened over the past few weeks as researchers say they’ve seen an uptick in RIG Exploit Kit traffic used to peddle CrypMIC ransomware.
The news comes two weeks after researchers shut down a global malvertising campaign that was delivering the same ransomware but via the Neutrino Exploit Kit. While RIG is far from new – it was pushing Cryptowall ransomware on victims as far back as 2014 – it has enjoyed a spike in the days following Neutrino’s decline, researchers say.
According to experts at Heimdal Security, who have tracked the kit’s traffic over the past 20 days, it’s picking up where Neutrino left off. A new campaign is using script injection to compromise legitimate websites and redirect victims to hijacked domains pushing CrypMIC. Andra Zaharia, a security evangelist with the Danish firm, said some attacks are using malicious iFrame HTML code as the injects.
RIG is using a technique previously utilized by the Angler Exploit Kit, domain shadowing, to redirect users. Attackers use stolen domain credentials to set up subdomains to divert traffic to the arbitrary sites. Domain owners are often none the wiser because many neglect to monitor their login credentials and fail to notice after they’ve been compromised in a phishing attack.
According to Zaharia, the new campaign bears a resemblance to Pseudo-Darkleech, a campaign that’s been used for more than a year now to deliver exploit kits. Both campaigns use similar patterns when it comes to injecting malicious scripts and redirecting traffic to the exploit kit infrastructure, Zaharia said.
Researchers with Cisco Talos, who took down the Neutrino-CrypMIC campaign 20 days ago, believe it exposed roughly one million users to malicious ads for the two weeks they followed it in early August. The researchers worked with GoDaddy to subsequently shut down domains that were being used by the campaign to redirect traffic to a server hosting Neutrino in Russia.
The RIG-CrypMIC campaign takes advantage of recent vulnerabilities in Adobe Flash Player, according to Heimdal. Following the exploit, CrypMIC is dropped into a Windows temporary folder with a random name. From there, the malware connects to a command and control server.
While Zaharia told Threatpost they don’t have the traffic numbers in full, she did confirm the payload’s delivery efficiency is at 35.6 percent, spread out across different Flash exploits.
The exploits include CVE-2015-8651, a vulnerability that Adobe patched last December, and CVE-2016-4117, a zero day vulnerability the company patched in May. Attackers embedded CVE-2016-4117 into Neutrino a week after it was patched by the company and the Scarcruft APT gang, a group that was spotted targeting Russia, Nepal, and South Korea, also leveraged the exploit. According to researchers at Kaspersky Lab, who identified the group in June, Scarcruft paired the exploit with watering hole attacks as part of Operation Erebus, a series of attacks carried out in spring.
The campaign also uses an IE zero day, CVE-2016-0189, that Microsoft patched in May to carry out attacks. Developers behind Neutrino incorporated that vulnerability into the exploit kit in July.
The moves are positioning RIG to be the definitive exploit kit, for now at least, Zaharia said.
“When it comes to exploit kits, the dynamic is incredibly fast-moving. In the past month, two of the biggest exploit kit infrastructures were either taken down or suffered a big hit, so one of the other notorious exploit kits is bound to take advantage of the opportunity,” Zaharia told Threatpost Wednesday, “RIG is shaping up to be the go-to EK, but Magnitude, Sundown or others could also be working on their next big move.