RIG Surpasses Neutrino to Become Today's Most Active Exploit Kit

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
There's a new sheriff in town and his name is RIG


The exploit kit landscape is changing and according to multiple sources, activity from the Neutrino exploit kit service si waning, with the RIG crew moving in to take its place.

The latest security firm to add its voice to this conclusion is Malwarebytes, after previous reports from Heimdal Security, who spotted an increase in RIG activity, and Cisco Talos, who helped bring down a massive malvertising campaign that used the Neutrino exploit kit, leaving a huge gap for RIG to fill.

"Following the demise of the Angler exploit kit in June, Neutrino EK assumed the lead position by having the top malware and malvertising campaigns defaulted to it," Jerome Segura of Malwarebytes noted. "But since then, there have been several shake ups, and an underdog in the name of RIG EK replaced Neutrino EK on several high volume attacks from compromised websites."
RIG is absorbing Neutrino's clients and technical tricks

But RIG is not only taking over Neutrino's malvertising campaigns. According to Segura, RIG is also borrowing some of Neutrino's source code.

The researcher explains that Neutrino has historically used the wscript.exe process to funnel exploits towards the user's PC. Segura describes this as "Neutrino’s trademark," something that only this exploit kit has employed.

Starting this September, when Neutrino activity started going down, RIG has begun using the wscript.exe process, just like Neutrino, instead of the iexplore.exe process it used until then.

Additionally, that's the same time when malvertising campaigns served via the RIG exploit kit started deploying the CryptMIC ransomware, which has been delivered all summer only via Neutrino.

RIG is the leader of a meager exploit kit market
All signs point to a change of leader in the exploit kit market. Neutrino may not be dead, but the coordinated Cisco & GoDaddy takedown of several malvertising campaigns seems to have affected its clientele, who appears to have lost trust in it and are now moving to RIG instead.

According to a recent Digital Shadows report, the exploit kit market is not that crowded, and malware distributors don't have that many options to choose from.
Only seven exploit kits have been active in 2016, but two are already dead (Angler, Nuclear). The only ones left alive are RIG, Neutrino, Magnitude, Sundown, and Hunter.

A quick look-up on sites like Malware Traffic Analysis comes to support both Malwarebytes and Heimdal's conclusions, with RIG dominating September's malvertising landscape.
 
H

hjlbx

  • Uninstall Oracle Java\Java Runtime Environment or disable or run with limited access rights
  • Uninstall Adobe Flash, Acrobat, Reader or run with limited access rights or use alternatives
  • Uninstall Microsoft Silverlight or run with limited access rights or use alternative
  • Keep vulnerable software up-to-date\fully patched - especially Internet Explorer
  • Run Internet Explorer with limited access rights
There are multiple security softs that can handle RIG exploit (I list the ones I know that work through prior testing):
  • Microsoft EMET
  • HitmanPro.Alert
  • AppGuard
  • Sandboxie
  • COMODO Internet Security\Firewall
This is not difficult...
 
  • Like
Reactions: Azure

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top