Fresh from the ashes of the Neutrino exploit kit campaign takedown, RIG EK has risen to take over its market share.
“The [takedown] that was announced 20 days ago left a big gap in the cybercrime market,” explained Andra Zaharia, Heimdal Security researcher, in a blog. “And so did the arrest of Angler’s creators. But it didn’t take long for other cyber-criminals to jump at the chance to increase their revenues.”
Neutrino was using a massive malvertising rampage that used malicious ads to spread the CrypMIC ransomware through drive-by attacks. The RIG EK is now spreading the same, and has been spotted in several campaigns that use malicious injections to divert traffic to the arbitrary web pages created through domain shadowing. In the observed attacks, the payload is delivered by taking advantage of various recent vulnerabilities in that cyber-criminal favorite, Adobe Flash Player.
“The current campaign uses the classic method of script injection to compromise legitimate web pages and turn them into vectors for malware distribution,” Zaharia explained. “The injected script redirects Internet traffic to multiple domains which have been hijacked and are now used for domain shadowing.”
First uncovered over the summer, the CrypMIC ransomware can encrypt files on removable and network drives can steal data and credentials from a series of programs. It does not add an extension name to encrypted files, “making it trickier to determine which files have been held in ransom.” It also checks for virtual machine environments and sends that information to its command-and-control server.
The campaign is linked to Pseudo Darkleech, a type of infection that randomizes some of the elements to maintain the malware covert and detection rates low. And it appears to be working: Only 4/57 solutions have picked it up so far, as per VirusTotal.
As with all second-generation malware, the threat keeps changing, to avoid being caught by traditional antivirus, as Sucuri experts explained: “The Pseudo-Darkleech infection constantly evolves. It became much stealthier than the original version. It experiments with new URL patterns in its iframes: at this point, it can be recognized by DNS shadowing and forum-like URLs. Since recently, the iframe is being injected via a creative obfuscated JavaScript code.”
Zaharia added, “This goes to show once more that you need to think of your cyber security in layers, and never underestimate cybercriminals and their tactics.”
Photo © wsf-s