Softpedia >News >Security
Softpedia Homepage   

RIG Exploit Kit 3.0 Succeeded in Infecting 1.25 Million Machines

Version 3.0 makes a comeback, surpassing 2.0's statistics

Aug 4, 2015 12:05 GMT  ·  By
RIG Exploit Kit 3.0 infects 27,000 machines per day
   RIG Exploit Kit 3.0 infects 27,000 machines per day

Trustawave security researchers have analyzed the latest version of the RIG Exploit Kit and are claiming that the new version is as successful as the older 2.0 was.

While the RIG Exploit Kit took a serious reputation hit when one of the resellers leaked the source code and shared it with various security firms, the kit's author seems to have made a comeback, with a new revamped version.

Trustwave researchers claim that this new iteration predominantly leverages Flash vulnerabilities, mainly the two zero-day exploits revealed through the Hacking Team leak last month (CVE-2015-5119 and CVE-2015-5122).

Once infected through these exploits and others, machines are contaminated with various malicious agents, the most common one being the Tofsee spam bot, observed by Trustwave in 70% of all cases.

RIG delivers payloads using malvertising campaigns

As for the source of the infection, Trustwave researchers claim that "90% of the traffic flowing into the various campaigns of the RIG exploit kit were a result of malvertisement (malicious ads)."

By using this method, attackers can make sure even the most suspicious users get infected, people who regularly avoid shady websites.

Because malvertising campaigns can be delivered through popular websites like Yahoo, CBS and others, victims don't even have to go out of their comfort zone when navigating the Web to be infected.

Trustwave researchers said that the 3.0 version of the RIG Exploit Kit "attempted to infect 3.5 million machines and succeeded in infecting 1.25 million machines, meaning on average 27,000 infected machines per day!"

That's a vast improvement over version 2.0, and quite impressive knowing that 2.0's source code was leaked and 3.0 uses a similar infrastructure without major changes to its 3-layer system consisting of proxy servers, VDS tunnels, and a backend panel for controlling the exploitation campaigns.

Additionally, to prevent future leaks of its source code, RIG developers have also taken precautionary measures to stop resellers from accessing any of the kit's source code.