LAS VEGAS - Earlier this year, a disgruntled reseller leaked the source code for version 2.0 of the RIG exploit kit.
Since then, the RIG's author has released version 3.0, which was recently discovered by researchers from Trustwave's Spider Labs. The latest version uses malvertising in order to deliver a majority of its traffic, infecting some 1.25 million systems to date.
There have been a few notable changes made to RIG between versions, including a cleaner control panel that's easier to navigate, changes to the URL structure used by the kit that helps it avoid detection, and a security structure that prevents unauthenticated users from accessing internal files clearly implemented to avoid leaks such as the one that exposed the source code for the previous version.
Moreover, payloads are now stored in the database. Previously, the files were stored in a folder on the administration server, but now they're only accessible via the control panel - preventing execution on the server.
In order to deal with DDoS attacks, the RIG author has taken to using CloudFlare services, which has helped it remain online despite constant attack.
Spider Labs researchers observed two instances of RIG 3.0. According to their figures, the kit has recorded more than 3.5 million hits, resulting in 1.25 million successful infections.
This created a daily infection average of 27,000 systems, largely due to the number of Adobe Flash exploits leveraged by the kit including the exploits discovered in the cache of files leaked after Hacking Team was compromised (CVE-2015-5119, CVE-2015-5122). In addition, RIG is also using CVE-2013-2551 and CVE-2014-6332 to target Internet Explorer. When it comes to the victims, Vietnam, followed by Indonesia, Thailand, Brazil, and Turkey are the most infected locations during the time researchers observed the exploit kit in action.
The infrastructure used by RIG 3.0 is similar to what the previous version used, however the changes made to the kit have impacted detection. Since it was discovered, many vendors have failed to flag the URLs used by the exploit delivery servers.
While observing the instances, researchers determined that nearly 70 percent of the traffic being delivered to RIG could be directly linked to a number of malicious ad campaigns.
Arseny Levin, Lead Security Researcher at Trustwave, said that many of the malvertising runs were staged from a number of smaller ad networks, which at the time had no idea they were being used by criminals.
"Criminals will seek out the cheapest ad providers where they can place their malicious ads and turn that cheap traffic into infections using exploit kits. For the criminal- these infections are their profit so it makes sense, financially, to go to the lowest ad providers down the chain," he said.
One of the victimized ad networks is buy-targeted-traffic.com, which enables customers to selectively target who their ads will be shown to, including browser type, geography, operating system type, and more. Since RIG only targets Internet Explorer users, this feature was perfect for the malvertising run, since it enabled victim screening.
For as little as 0.20 cents, a RIG customer can purchase 1,000 ad impressions on low-end websites, delivering steady traffic that runs under the radar.
"According to the referrers [registered by the kit], many large websites were abused by malvertising campaigns in order to redirect visitors to the RIG exploit kit, these include large news sites, investment consulting firms, IT solution provides, etc. all ranked in Alexa's top 3000," Levin explained in a blog post.
The larger websites were snared by the campaign despite having no direct relationship with the abused ad networks. This due to how advertisement bidding works, Levin said.
"When a large legitimate advertising network doesn't have a high-end advertisement to display, it turns to affiliates who offer ads for lower prices, in these low price ranges exploit kits such as RIG can find hits for fairly low prices."
Big fish in a big pond:
While watching the active campaigns on the RIG servers, the researchers noticed that just one customer accounted for more than 70 percent of the observed infections. This customer jumped to the top spot by delivering the Tofsee spam bot.
The variant of Tofsee used by the customer attempted to send 1 million emails a day from a single infected system, but only about 2,000 of them were actually sent. Crunching the numbers, Spider Labs researchers determined that the client was conservatively earning $60,000 to $100,000 USD per month.
"The average of 80,000 USD is not too shabby by all counts, right? That is, if you don't mind being a criminal," Levin said.
The continued existence of RIG and the popularity the exploit kit enjoys in the criminal marketplace proves that as long as there are willing customers, this turnkey business will continue to thrive.
"It seems that exploit kits, much like the mythological hydra, just keep coming back. Chopping off one head merely grows two new ones to replace it. They are growing more accurate, more sophisticated, and worst of all, more widespread," Levin concluded.