Security News Malvertising Campaign Using RIG EK Detected Pushing CrypMIC Ransomware

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Security experts from Heimdal Security are warning against a new wave of malvertising that redirects users to malicious websites hosting the RIG exploit kit, which in the end infects victims with the CrypMIC ransomware.

This most recent wave of infections comes on the heels of a malvertising campaign that Cisco and GoDaddy brought down at the start of the month.

That particular malvertising campaign was exploiting advertising companies that deployed OpenX servers in order to inject malicious JavaScript code inside ads and redirect users to malicious websites hosting the Neutrino exploit kit.

Heimdal now says that there's an increase in the number of malvertising attacks that are leveraging the RIG exploit kit.

"RIG exploit kit has been spotted in several campaigns that use an 'iframe src' as the malicious inject to divert traffic to the arbitrary web pages created through domain shadowing," Heimdal's Andra Zaharia wrote today.

These RIG exploit kit installations use several recently disclosed Flash vulnerabilities to infect users with the same payload as the Neutrino campaigns, the CrypMIC ransomware.

This particular ransomware appeared over the summer, and it is a clone - with some variations - of the more famous CryptXXX ransomware.

A recent report released by Digital Shadows reveals that RIG is one of the five active exploit kits left on the market today, along with Neutrino, Magnitude, Sundown, and the lesser known Hunter EK.

 

Andra Zaharia

From Heimdal
Verified
Jun 29, 2015
104
Security experts from Heimdal Security are warning against a new wave of malvertising that redirects users to malicious websites hosting the RIG exploit kit, which in the end infects victims with the CrypMIC ransomware.

This most recent wave of infections comes on the heels of a malvertising campaign that Cisco and GoDaddy brought down at the start of the month.

That particular malvertising campaign was exploiting advertising companies that deployed OpenX servers in order to inject malicious JavaScript code inside ads and redirect users to malicious websites hosting the Neutrino exploit kit.

Heimdal now says that there's an increase in the number of malvertising attacks that are leveraging the RIG exploit kit.

"RIG exploit kit has been spotted in several campaigns that use an 'iframe src' as the malicious inject to divert traffic to the arbitrary web pages created through domain shadowing," Heimdal's Andra Zaharia wrote today.

These RIG exploit kit installations use several recently disclosed Flash vulnerabilities to infect users with the same payload as the Neutrino campaigns, the CrypMIC ransomware.

This particular ransomware appeared over the summer, and it is a clone - with some variations - of the more famous CryptXXX ransomware.

I'm glad you found our alert helpful! If any new info pops up, we'll make sure to update it.
 
L

LabZero

Malversting attacks can seem very complex, but often they can be controlled in a very simple way: turning off Flash, become a honeypot for criminals and using Sandboxie to lock down the browser in protected area that it can also deleted automatically by closing SB.
 

Andra Zaharia

From Heimdal
Verified
Jun 29, 2015
104
Malversting attacks can seem very complex, but often they can be controlled in a very simple way: turning off Flash, become a honeypot for criminals and using Sandboxie to lock down the browser in protected area that it can also deleted automatically by closing SB.

And I'd add another one to that: always keep your software up to date!
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top