Trustwave on Monday announced new research into the next generation of a dangerous exploit kit, known as RIG 3.0. Before Arseny Levin, the lead SpiderLabs researcher involved in the discovery, left for the Black Hat USA show in Las Vegas, where he will be discussing how to defeat exploit kits, we asked him a few questions about the big investigation.
Trustwave SpiderLabs researchers have been closely following the evolution of the RIG exploit kit, whose source code was leaked earlier this year. Since then, a huge development has taken place. Can you explain what you and your team have uncovered?
We have been monitoring the operations of RIG 3.0 over about six weeks, during which we observed an incredible infection rate of 27,000 machines per day on average. The authors behind this exploit kit had to recover from a massive blow, where one of their reseller's leaked parts of their source code. Since then they have patched various security vulnerabilities that allowed the reseller to gain access to their source code. They have also updated the URL scheme of the exploit pages in order to provide their customers with better evasion from security products. Additionally they rewrote the admin panel interface and gave it a new shiny look.
How successful have the attackers been?
The attackers are very much successful with their operation, as over the course of about six weeks they have attempted to exploit more than 3.5 million potential victims and succeeded with about 1.25 million. This means they had achieved an infection ratio of 34 percent. That is a scary rare, as every third victim has been successfully exploited.
Which vulnerabilities are being used to infect computers?
The three primary ones are:
CVE-2013-2551: Internet Explorer (IE) VML DashStyle
CVE-2014-6332: Windows OLE VBScript, which is exploited through IE
CVE-2015-5122: This is the latest Flash exploit leaked from the Hacking Team breach. It was still a zero day when RIG began using it and had a window of about three days before a patch was released. The high infection rate can be partially attributed to this.
How many victims are infected, and where are they located? Are businesses affected?
As mentioned, up until now we observed over 1.25 million successfully infected machines, and the attack still goes on. The top five affected countries are: Brazil, with 450,529 infections; Vietnam, with 302,705 infections; Turkey, with 82,640 infections; India, with 62,771 infections; and the United States with 45,889 infections.
The attackers don't distinguish between business users and home users. They simply exploit any vulnerable PC that happens to land on their exploit page. So naturally there will be business PCs affected in the mix of victims, and if the attacker is an experienced one, than they might scoop out the business PCs and leverage their control to steal funds from that business.
How are users initially infected? Will they notice anything amiss?
Coming across a landing page of any exploit kit, including RIG's, is essentially unavoidable. Users are simply browsing the web - perhaps browsing their favorite local news website - and without any visual indication, an exploit page can be loaded in a hidden iframe, which is a result of a malicious advertisement that was loaded in the context of that website. The problem is that not only the website, but also the ad provider of that website, can't do much in order to prevent the malicious ads from being displayed. They are both, in fact, a victim in this scheme, just like the end-user who is infected.
This is due to the complicated dynamic bidding system that ad networks employ, where in real time the bid for the ad to be displayed can be bounced across multiple providers until it's matched with the appropriate price. The criminals leverage this situation to serve malicious ads, or malvertisements, from low-profile ad providers down the bidding chain. Eventually when the user is already infected, for example with ransomware, it will be already too late and all his private files will be encrypted and ransom demand displayed.
What payloads are they being hit with?
RIG 3.0 exploit kit is a service for distributing malware. As far as we know, the kit's creators don't distribute malware of their own. Instead they rent out this infection platform to customers. The customer will use this platform to deliver his payloads of their choice to unsuspecting users. From what we've seen, the biggest customer of RIG 3.0 has been distributing a spam bot, which will cause the infected PC to send out spam emails. However, other customers also distribute ransomware payloads, such as Cryptowall 3.0.
Is the infrastructure being used complex?
Yes, they are utilizing a three-layer infrastructure, where the most inner layer is kept private and never interacts with the victims, serving only as the control panel for the customers and administrators of RIG 3.0. Meanwhile, the outermost layer consists of many "throwaway" servers that are the direct infection points for the victims and will be replaced frequently as they become blacklisted by security products. These layers have stayed the same as in RIG 2.0, and a thorough analysis of this infrastructure can be found here.
Has RIG 3.0 been a big moneymaking operation for both the exploit kit's authors and its customers?
Definitely. The authors of RIG 3.0 are charging $500 per month to rent their services. We observed about 50 active customers, which amounts to a $25,000 monthly income just from those people alone. In our SpiderLabs Blog post, we provide an analysis of revenue for the biggest customer of RIG 3.0, which spreads a spam bot and monetizes by providing spam services for other criminals. This customer could easily be making $80,000 per month.
Is there anything particularly interesting about how the RIG 3.0 underground racket compares to prior RIG operations?
In this aspect, RIG 3.0 hasn't changed much from RIG 2.0, except for abandoning the reseller's model the creators used with RIG 2.0. This is probably due to the experience with the reseller in which they leaked parts of the source code. Additionally, it is worth noting that unlike other exploit kits, RIG is open for English-speaking customers and not only limited to Russian customers, which broadens the potential customers base.
Finally, how can business users falling victim to exploits?
We would suggest three measures: Keep software up to date, especially browsers and their plug-ins (including MS Office); enable click-to-play in browsers; and deploy anti-malware or managed anti-malware security controls that are designed to detect and block malware in real time.
UPDATE (Aug. 10): We have observed that RIG 3.0's main administration servers have been experiencing distributed denial-of-service attacks, most likely from rival criminal gangs. RIG's handlers have decided to protect their services by deploying them behind CloudFlare - an-anti DDOS service that has been used before by hacker contingents.