New version of RIG exploit kit sees 34 percent attack success rate
At the beginning of this year the RIG exploit kit had its source code leaked online by an unhappy reseller. This led to a hit in its success rate as security company Trustwave published details of its workings.
Trustwave has revealed today at BlackHat that RIG's authors have been working on a new RIG 3.0 version. The company's researchers say there are now up to 1.25 million victims worldwide and more than 3.6 million attack attempts. A remarkable success rate of 34 percent.
RIG 3.0 has multiple layers making it more robust. It targets via outdated versions of Internet Explorer and browser plugins, particularly Flash. RIG attacks via three routes, infected adverts which account for over 90 percent of victims, already infected computers being re-infected (the malware enables hidden browsing on an already infected computer so it browses other exploit kits to then re-infect the machine) and by simply visiting a compromised website.
The developers have also learned from the leaking of RIG 2.0's code. "This time around they're not using resellers but hosting the kit directly in Russia and protecting the server using CloudFlare," says Arseny Levin, Lead Security Researcher at Trustwave SpiderLabs. "They've also fixed the vulnerabilities that allowed the leak back in February".
The country most hit by RIG 3.0 is Brazil with 450,529 infected victims followed by Vietnam with 302,705 infections. The US has 45,889 victims, Canada 3,913 and the UK 9,662. The software is able to deliver various payloads, each depending on the specific customer, but the top one delivered so far is the Tofsee spam bot, representing 70 percent of all infections.
To avoid falling victim to this attack, users should make sure all software -- including browser plugins -- is up to date, and uninstall any software that is actually not in use to reduce the attack surface. "It's also worth enabling click-to-play in your browser so that plug-in content from Java, Flash, Silverlight, etc isn't automatically opened when you visit a website," says Levin. Businesses should be using managed anti-malware controls, such as gateway technologies that can detect and strip out malware in real-time.
More information about RIG 3.0 is available on Trustwave SpiderLabs' blog.
Photo Credit: ra2studio/Shutterstock