RIG EK Activity Declines in Q4

Written by

The RIG exploit kit (EK) has hung onto its lead as the most active EK out there this quarter, even though overall volume of RIG traffic was down from Q3.

According to the latest stats from Zscaler, RIG, which took the lion’s share of the activity after the demise of the Angler and Neutrino EKs, declined significantly in November and December, even though it continues to install ransomware, banking Trojans and cryptocurrency mining software on vulnerable systems at a greater rate than the competition.

Global distribution of RIG activity has also shifted, the firm said in its report: “For the last quarter, virtually all observed RIG traffic has been within the United States, Russia and Japan. This was unexpected, as previous analyses had shown an appreciable amount of activity in Europe, the rest of the Americas, and Southeast Asia.”

Among the number of concurrent RIG campaigns this year, the “Seamless” campaign, primarily responsible for infecting victims with the Ramnit banking infostealer, has been ongoing since early last year. RIG is also distributing coin-mining packages that typically mine alternative cryptocurrencies such as Monero, which have a greater emphasis on privacy and anonymity than Bitcoin. However, earlier this fall Zscaler researchers observed a one-off RIG campaign that used a different malicious redirect structure and infected victims with the Dofoil Trojan and Bitcoin Miner mining tool.

Other active exploit kits in the quarter include the Terror EK, a more recent exploit kit discovered in late 2016. It was formed as an amalgamation of several active exploit kits, including the Sundown EK. The majority of detected Terror EK cycles in the fourth quarter were delivered via malvertising campaigns using the Propeller Ads network.

A brand-new exploit kit that shares code with Terror EK and uses the same URL pattern, Disdain EK, was also discovered making the rounds.  

“Disdain is currently operating at very low activity, but has been observed distributing the Kasidet infostealer,” Zscaler said.

Also, the venerable Magnitude EK is still kicking. One of the longest-running exploit kits, first launched in 2013, this exploit kit has seen much lower volume activity in recent years and now primarily targets Southeast Asian countries and South Korea with malvertising campaigns.

Despite the decrease in activity, the danger is still very real and present.

“Exploit kits pose a significant threat to users during simple web browsing,” Zscaler noted. “In the case of ransomware infections, the result could be the inability of a user to access his or her files. The techniques exploit kit authors use to hide their activities are frequently changing, and security researchers work hard to analyze and block these new threats.”

To help avoid infections such as these, users should always block untrusted third-party scripts and resources,and avoid clicking on suspicious advertisements. 

What’s hot on Infosecurity Magazine?