Malvertising and Cryptowall Mark the Appearance of the RIG Exploit Kit

A recently launched exploit kit, dubbed 'RIG', is generating a big spike in traffic, according to Cisco—the company has blocked requests to over 90 domains for more than 17% of its Cloud Web Security (CWS) customers. It’s notable for its use of a Silverlight vulnerability to make use of a malvertising tactic.

Also, most of RIG’s usage is for distributing Cryptowall, the latest ransomware to follow the now-infamous CryptoLocker’s practice of using a key-based encryption system to hold victim data hostage.

Cisco also said that the kit continues the trend of an increased reliance upon Silverlight, following in the footsteps of the Fiesta and Angler kits.

“Like these other kits, we have seen RIG using malvertising to perform a drive-by attack on visitors to high profile, legitimate websites,” the researchers explained in an analysis. “This accounts for the high amount of traffic we have seen in the last month.”

The use of malvertising makes propagation easier for criminals, given the many-to-one relationship between websites and the affiliate ads included on them. The same ads can be served across many sites, and the same site can serve many different ads.

RIG also appears to have been making use of both newly registered domains and compromised legitimate sites to both host its landing pages and serve its exploits.

“Using existing legitimate sites to host the EK alleviates the need to create and maintain a dedicated domain infrastructure, and mitigates some of the problems associated with doing so: registering new domains, randomizing naming, using multiple email addresses, etc., in order to avoid easy attribution”, Cisco analysts explained.

RIG’s trajectory is notable in the patterns in the cybercrime world that it points to, they added.

“There is a continuous churn in the EK market: new kits arrive, old kits mutate and evolve,” said the researchers. “However amidst the churn, patterns emerge: Silverlight continues to rise in prevalence, and Java exploits appear to be on the wane. We have seen a lot of exploit kits generating their traffic using malvertising recently, and this will surely continue to be a powerful and readily exploitable way of infecting users.”

Researchers added that its payload, Cryptowall, will seem familiar to cybercrime analysts.

In practice, the ransomware is almost identical to CryptoLocker. As the perpetrators helpfully explain, “This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them,” reads the notice shown to infected victims.

“Especially for you, on our server was generated the secret key pair RSA-2048 -- public and private. All your files were encrypted with the public key, which has been transferred to your computer via the internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.”

It then directs victims to visit a Tor-hosted 'personal home page' with information about their ransom. Cisco’s test server drew a $600 ransom with a two-week deadline.

“This threat should be taken seriously - other ransomware has been known to make good on its warnings of data loss,” Cisco analysts said. “Given the recent high-profile reports of an FBI shutdown of CryptoLocker, it is worth remembering that whilst Cryptolocker has proven to be an extremely potent threat it is just one of several forms of ransomware, including Cryptowall and Cryptodefense. Ransomware has proved to be a very successful form of extortion and we are likely to see new variants on the CryptoLocker theme for quite some time.”

That said, regularly updated and patched machines which do not have rich media platforms such as Flash and Silverlight enabled remain “relatively immune” from these kinds of attacks, the researchers said.

What’s Hot on Infosecurity Magazine?