Trustwave SpiderLabs Uncovers Unique Cybersecurity Risks in Today's Tech Landscape. Learn More

Trustwave SpiderLabs Uncovers Unique Cybersecurity Risks in Today's Tech Landscape. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

How an Upgraded Version of the RIG Exploit Kit is Infecting 27k Computers Per Day

(UPDATED BELOW)

Trustwave on Monday announced new research into the next generation of a dangerous exploit kit, known as RIG 3.0. Before Arseny Levin, the lead SpiderLabs researcher involved in the discovery, left for the Black Hat USA show in Las Vegas, where he will be discussing how to defeat exploit kits, we asked him a few questions about the big investigation.

Trustwave SpiderLabs researchers have been closely following the evolution of the RIG exploit kit, whose source code was leaked earlier this year. Since then, a huge development has taken place. Can you explain what you and your team have uncovered?

We have been monitoring the operations of RIG 3.0 over about six weeks, during which we observed an incredible infection rate of 27,000 machines per day on average. The authors behind this exploit kit had to recover from a massive blow, where one of their reseller's leaked parts of their source code. Since then they have patched various security vulnerabilities that allowed the reseller to gain access to their source code. They have also updated the URL scheme of the exploit pages in order to provide their customers with better evasion from security products. Additionally they rewrote the admin panel interface and gave it a new shiny look.

How successful have the attackers been?

The attackers are very much successful with their operation, as over the course of about six weeks they have attempted to exploit more than 3.5 million potential victims and succeeded with about 1.25 million. This means they had achieved an infection ratio of 34 percent. That is a scary rare, as every third victim has been successfully exploited.

Which vulnerabilities are being used to infect computers?

The three primary ones are:

CVE-2013-2551: Internet Explorer (IE) VML DashStyle

CVE-2014-6332: Windows OLE VBScript, which is exploited through IE

CVE-2015-5122: This is the latest Flash exploit leaked from the Hacking Team breach. It was still a zero day when RIG began using it and had a window of about three days before a patch was released. The high infection rate can be partially attributed to this.

How many victims are infected, and where are they located? Are businesses affected?

As mentioned, up until now we observed over 1.25 million successfully infected machines, and the attack still goes on. The top five affected countries are: Brazil, with 450,529 infections; Vietnam, with 302,705 infections; Turkey, with 82,640 infections; India, with 62,771 infections; and the United States with 45,889 infections.

The attackers don't distinguish between business users and home users. They simply exploit any vulnerable PC that happens to land on their exploit page. So naturally there will be business PCs affected in the mix of victims, and if the attacker is an experienced one, than they might scoop out the business PCs and leverage their control to steal funds from that business.

How are users initially infected? Will they notice anything amiss?

Coming across a landing page of any exploit kit, including RIG's, is essentially unavoidable. Users are simply browsing the web - perhaps browsing their favorite local news website - and without any visual indication, an exploit page can be loaded in a hidden iframe, which is a result of a malicious advertisement that was loaded in the context of that website. The problem is that not only the website, but also the ad provider of that website, can't do much in order to prevent the malicious ads from being displayed. They are both, in fact, a victim in this scheme, just like the end-user who is infected.

This is due to the complicated dynamic bidding system that ad networks employ, where in real time the bid for the ad to be displayed can be bounced across multiple providers until it's matched with the appropriate price. The criminals leverage this situation to serve malicious ads, or malvertisements, from low-profile ad providers down the bidding chain. Eventually when the user is already infected, for example with ransomware, it will be already too late and all his private files will be encrypted and ransom demand displayed.

What payloads are they being hit with?

RIG 3.0 exploit kit is a service for distributing malware. As far as we know, the kit's creators don't distribute malware of their own. Instead they rent out this infection platform to customers. The customer will use this platform to deliver his payloads of their choice to unsuspecting users. From what we've seen, the biggest customer of RIG 3.0 has been distributing a spam bot, which will cause the infected PC to send out spam emails. However, other customers also distribute ransomware payloads, such as Cryptowall 3.0.

Is the infrastructure being used complex?

Yes, they are utilizing a three-layer infrastructure, where the most inner layer is kept private and never interacts with the victims, serving only as the control panel for the customers and administrators of RIG 3.0. Meanwhile, the outermost layer consists of many "throwaway" servers that are the direct infection points for the victims and will be replaced frequently as they become blacklisted by security products. These layers have stayed the same as in RIG 2.0, and a thorough analysis of this infrastructure can be found here.

Has RIG 3.0 been a big moneymaking operation for both the exploit kit's authors and its customers?

Definitely. The authors of RIG 3.0 are charging $500 per month to rent their services. We observed about 50 active customers, which amounts to a $25,000 monthly income just from those people alone. In our SpiderLabs Blog post, we provide an analysis of revenue for the biggest customer of RIG 3.0, which spreads a spam bot and monetizes by providing spam services for other criminals. This customer could easily be making $80,000 per month.

Is there anything particularly interesting about how the RIG 3.0 underground racket compares to prior RIG operations?

In this aspect, RIG 3.0 hasn't changed much from RIG 2.0, except for abandoning the reseller's model the creators used with RIG 2.0. This is probably due to the experience with the reseller in which they leaked parts of the source code. Additionally, it is worth noting that unlike other exploit kits, RIG is open for English-speaking customers and not only limited to Russian customers, which broadens the potential customers base.

Finally, how can business users falling victim to exploits?

We would suggest three measures: Keep software up to date, especially browsers and their plug-ins (including MS Office); enable click-to-play   in browsers; and deploy anti-malware or managed anti-malware security controls that are designed to detect and block malware in real time.

UPDATE (Aug. 10): We have observed that RIG 3.0's main administration servers have been experiencing distributed denial-of-service attacks, most likely from rival criminal gangs. RIG's handlers have decided to protect their services by deploying them behind CloudFlare - an-anti DDOS service that has been used before by hacker contingents.

Latest Trustwave Blogs

Trustwave MailMarshal Unveils Major Upgrades to Combat New Email Security Threats

Trustwave MailMarshal will receive a massive upgrade on March 28 that will add four new levels of functionality, including an improved dashboard interface, the ability to detect and halt malicious QR...

Read More

Unveiling the Latest Ransomware Threats Targeting the Casino and Entertainment Industry

Anyone who has visited a casino knows these organizations go to a great deal of expense and physical effort to ensure their patrons do not cheat. Still, there is a large group of actors who are...

Read More

Third-Party Risk: How MDR Offers Relief as Security Threats Abound

While third-party products and services are crucial to everyday business operations for almost any company, they also present significant security concerns, as high-profile attacks including...

Read More