LAS VEGAS – A rampant malvertising campaign fueled by a new version of the Rig Exploit Kit has claimed at least 950,000 victims worldwide and is doing so with an unprecedented success rate.
Researchers at Trustwave said in advance of this week’s Black Hat conference that they have been watching servers involved in the campaign for six weeks. They estimate there are 50 active customers using the kit who have tried to infect three million machines during that time frame, succeeding against 1.25 million, or 34 percent of machines.
“This is very high for an exploit kit,” said Arseny Levin, a security researcher at Trustwave, who estimates average success rates for similar campaigns at 10 percent to 15 percent.
The recent Hacking Team data dump and exposure of a number of zero-day vulnerabilities and exploits has likely inflated the success rate of this campaign, Levin said. This version of Rig, he said, has already integrated one of them, CVE-2015-5122, a use-after-free vulnerability in Adobe Flash that was patched on July 14.
Most of the traffic sources implicated in this campaign originate from malvertising; attackers have managed to embed malicious Flash files in digital advertisements hosted on a number of popular websites worldwide. Malvertising is an epidemic enabled by weaknesses in the security processes and practices of the ad networks that allow criminal hackers to snare victims at scale. Couple that with lax patching, and it’s a recipe for trouble.
Trustwave was expected this week at Black Hat to release a lengthy list of compromised websites involved in this campaign, but pulled back on that decision because it has still not successfully notified all the parties involved, a representative told Threatpost.
The campaign is ongoing and most of the victims are in Brazil (close to 451,000) and Vietnam (303,000). Trustwave said there are 46,000 victims in the United States and notably fewer in the U.K. and Canada. Levin said the criminals behind Rig are raking in the cash, close to $25,000 monthly, largely by renting out the kit at a rate of $100 per month per customer.
In February, there was a partial source code leak of the Rig Exploit Kit posted to the Internet. French exploit kit watcher Kafeine found the leak advertised on a hacker forum that is not used by the principal gang behind Rig, leading him to believe that some kind of dispute led to the leak. Another researcher in the U.K. going by the handle Malwaretech said the leaker was likely a reseller of the Rig Exploit Kit who was trying to scam the official Rig sellers; he was eventually suspended from selling the kit and likely went rogue.
This version of Rig, Levin said, is only sold privately, indicating they’ve abandoned the reseller model as well.
While malvertising is responsible for 90 percent of infections in this campaign, Levin said a number of compromised websites are also pushing Rig 3.0, and also, machines are getting re-infected with the updated malware.
In the meantime, the best mitigation is to keep third-party software such as Flash and Java up to date. Levin also suggests enabling click-to-play browser features that require users to click on a banner or ad to execute a malicious Flash exploit, for example.
