14 DAY TRIAL // The exploit kit landscape is changing and according to multiple sources, activity from the Neutrino exploit kit service si waning, with the RIG crew moving in to take its place.
The latest security firm to add its voice to this conclusion is Malwarebytes, after previous reports from Heimdal Security, who spotted an increase in RIG activity, and Cisco Talos, who helped bring down a massive malvertising campaign that used the Neutrino exploit kit, leaving a huge gap for RIG to fill.
"Following the demise of the Angler exploit kit in June, Neutrino EK assumed the lead position by having the top malware and malvertising campaigns defaulted to it," Jerome Segura of Malwarebytes noted. "But since then, there have been several shake ups, and an underdog in the name of RIG EK replaced Neutrino EK on several high volume attacks from compromised websites."
RIG is absorbing Neutrino's clients and technical tricks
But RIG is not only taking over Neutrino's malvertising campaigns. According to Segura, RIG is also borrowing some of Neutrino's source code.
The researcher explains that Neutrino has historically used the wscript.exe process to funnel exploits towards the user's PC. Segura describes this as "Neutrino’s trademark," something that only this exploit kit has employed.
Starting this September, when Neutrino activity started going down, RIG has begun using the wscript.exe process, just like Neutrino, instead of the iexplore.exe process it used until then.
Additionally, that's the same time when malvertising campaigns served via the RIG exploit kit started deploying the CryptMIC ransomware, which has been delivered all summer only via Neutrino.
RIG is the leader of a meager exploit kit market
All signs point to a change of leader in the exploit kit market. Neutrino may not be dead, but the coordinated Cisco & GoDaddy takedown of several malvertising campaigns seems to have affected its clientele, who appears to have lost trust in it and are now moving to RIG instead.
According to a recent Digital Shadows report, the exploit kit market is not that crowded, and malware distributors don't have that many options to choose from.
Only seven exploit kits have been active in 2016, but two are already dead (Angler, Nuclear). The only ones left alive are RIG, Neutrino, Magnitude, Sundown, and Hunter.
A quick look-up on sites like Malware Traffic Analysis comes to support both Malwarebytes and Heimdal's conclusions, with RIG dominating September's malvertising landscape.