Newest RIG exploit kit driven by malicious advertising

LAS VEGAS - Earlier this year, a disgruntled reseller leaked the source code for version 2.0 of the RIG exploit kit.

Since then, the RIG's author has released version 3.0, which was recently discovered by researchers from Trustwave's Spider Labs. The latest version uses malvertising in order to deliver a majority of its traffic, infecting some 1.25 million systems to date.

There have been a few notable changes made to RIG between versions, including a cleaner control panel that's easier to navigate, changes to the URL structure used by the kit that helps it avoid detection, and a security structure that prevents unauthenticated users from accessing internal files clearly implemented to avoid leaks such as the one that exposed the source code for the previous version.

Moreover, payloads are now stored in the database. Previously, the files were stored in a folder on the administration server, but now they're only accessible via the control panel - preventing execution on the server.

In order to deal with DDoS attacks, the RIG author has taken to using CloudFlare services, which has helped it remain online despite constant attack.


Spider Labs researchers observed two instances of RIG 3.0. According to their figures, the kit has recorded more than 3.5 million hits, resulting in 1.25 million successful infections.

This created a daily infection average of 27,000 systems, largely due to the number of Adobe Flash exploits leveraged by the kit including the exploits discovered in the cache of files leaked after Hacking Team was compromised (CVE-2015-5119, CVE-2015-5122). In addition, RIG is also using CVE-2013-2551 and CVE-2014-6332 to target Internet Explorer. When it comes to the victims, Vietnam, followed by Indonesia, Thailand, Brazil, and Turkey are the most infected locations during the time researchers observed the exploit kit in action.

The infrastructure used by RIG 3.0 is similar to what the previous version used, however the changes made to the kit have impacted detection. Since it was discovered, many vendors have failed to flag the URLs used by the exploit delivery servers.


While observing the instances, researchers determined that nearly 70 percent of the traffic being delivered to RIG could be directly linked to a number of malicious ad campaigns.

Arseny Levin, Lead Security Researcher at Trustwave, said that many of the malvertising runs were staged from a number of smaller ad networks, which at the time had no idea they were being used by criminals.

"Criminals will seek out the cheapest ad providers where they can place their malicious ads and turn that cheap traffic into infections using exploit kits. For the criminal- these infections are their profit so it makes sense, financially, to go to the lowest ad providers down the chain," he said.

One of the victimized ad networks is, which enables customers to selectively target who their ads will be shown to, including browser type, geography, operating system type, and more. Since RIG only targets Internet Explorer users, this feature was perfect for the malvertising run, since it enabled victim screening.

For as little as 0.20 cents, a RIG customer can purchase 1,000 ad impressions on low-end websites, delivering steady traffic that runs under the radar.

"According to the referrers [registered by the kit], many large websites were abused by malvertising campaigns in order to redirect visitors to the RIG exploit kit, these include large news sites, investment consulting firms, IT solution provides, etc. all ranked in Alexa's top 3000," Levin explained in a blog post.

The larger websites were snared by the campaign despite having no direct relationship with the abused ad networks. This due to how advertisement bidding works, Levin said.

"When a large legitimate advertising network doesn't have a high-end advertisement to display, it turns to affiliates who offer ads for lower prices, in these low price ranges exploit kits such as RIG can find hits for fairly low prices."

Big fish in a big pond:

While watching the active campaigns on the RIG servers, the researchers noticed that just one customer accounted for more than 70 percent of the observed infections. This customer jumped to the top spot by delivering the Tofsee spam bot.

The variant of Tofsee used by the customer attempted to send 1 million emails a day from a single infected system, but only about 2,000 of them were actually sent. Crunching the numbers, Spider Labs researchers determined that the client was conservatively earning $60,000 to $100,000 USD per month.

"The average of 80,000 USD is not too shabby by all counts, right? That is, if you don't mind being a criminal," Levin said.

The continued existence of RIG and the popularity the exploit kit enjoys in the criminal marketplace proves that as long as there are willing customers, this turnkey business will continue to thrive.

"It seems that exploit kits, much like the mythological hydra, just keep coming back. Chopping off one head merely grows two new ones to replace it. They are growing more accurate, more sophisticated, and worst of all, more widespread," Levin concluded.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber attacksespionagetrustwavesecurityCloudFlare

More about Trustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place