The RIG exploit kit (EK) had a highly successful year in 2022, with a nearly 30% successful exploitation rate. Swiss cybersecurity company PRODAFT released a report highlighting RIG EK’s success and history since 2014.
The EK primarily relies on malvertising to infect user devices by taking advantage of known vulnerabilities in web browsers. The frequency of the malware samples they distribute ranges from weekly to daily updates. Threat actors can pay the RIG EK administrator to install their desired malware on victim devices.
The RIG EK has been observed delivering various financial trojans, stealers, and ransomware such as CryptoBit, Dridex, and WastedLoader. Although the operation was dealt a huge blow in 2017, recent campaigns have used a memory corruption vulnerability affecting Internet Explorer to deploy RedLine Stealer.
The researchers found that 45% of successful infections in 2022 leveraged CVE-2021-26411, followed by CVE-2016-0189 (29%), CVE-2019-0752 (10%), CVE-2018-8174 (9%), and CVE-2020-0674 (6%). Other browser flaws the malware targets include CVE-2013-2551, CVE-2014-6332, CVE-2015-0313, CVE-2015-2419, and CVE-2020-0674.
The RIG EK’s success can be attributed to its artful design, which allows it to infect devices with little to no interaction from the end user. Its use of proxy servers makes it difficult to detect infections. PRODAFT found that the RIG EK attracted traffic from 207 countries, with the most number of infections located in Russia, Egypt, Mexico, Brazil, Saudi Arabia, Turkey, and several countries across Europe.
The fact that RIG EK runs as a service model enables threat actors to financially compensate the RIG EK administrator, which makes it difficult to eradicate. Although the EK has not substantially changed its exploits in recent activity, the type and version of malware it distributes constantly change.
The researchers recommend keeping software up to date and implementing browser protection solutions to prevent the exploitation of known vulnerabilities by the RIG EK.
