14 DAY TRIAL // Users visiting the Popular Science website have been targeted with a drive-by download attack that relied on RIG Exploit Kit (EK) to deliver malicious files to their computers.
The cybercriminals managed to inject code in the website that would redirect visitors to an online location hosting the EK. Usually, such browser-based crimeware scan for vulnerable plug-ins (Flash, Silverlight or Java) and then leverage a weakness in them to download malware.
EK enumerates local resources, no TDS employed
However, in this case, security researchers from Websense observed that the EK first checked the target system for the presence of certain antivirus software and proceeded with the plug-in exploitation only if none of the products on its list were encountered.
In order to do this, the cybercriminals leverage another vulnerability, this time in the XMLDOM ActiveX control in Windows 8.1 and lower, which also allows enumeration of local resources.
Abel Toro of Websense says that this tactic has begun to become integrated more often in exploit kits, being present in versions of Nuclear Pack and Angler EKs as well.
Another particularity is that no TDS (traffic distribution system) is employed and the malicious iframe injected into the code of Popular Science site leads straight to RIG EK’s landing page.
In his analysis of the attack, Toro observed that the landing page for the exploit kit was highly obfuscated. This is a common tactic used by cybercriminals to make security researchers’ job more difficult.
Patching plug-ins sooner rather than later is always a good idea
Keeping the browsers updated and relying on the most recent versions of browser plug-ins is an easy way to stay protected against this type of attacks.
Concocting an exploit for a vulnerability takes some time, and except for zero-day vulnerabilities, developers provide a patch long before the cybercriminals manage to find a way to leverage the weakness. This would give users plenty of time to apply the patch.
On the other hand, cyber crooks in the higher tiers of the organized crime may benefit from incredible resources and come up with an exploit in a very short amount of time.
This was the case of the recently updated Adobe Reader, which saw exploits for the fixed vulnerabilities being used in the wild a week after the developer pushed the patch.
Speculation has it that a skilled reverse engineer analyzed the update code and found a way to construct an exploit. Another theory says that the malicious individuals somehow received relevant information.