The RIG exploit kit (EK) is baaaaaack—and enjoying special popularity in some parts of Africa.
RIG has made its way onto the list of top 10 threats in Kenya and Nigeria, according to Check Point’s March Global Threat Impact Index. So while the Necurs botnet remains a top vector for malware infections in the region, it’s clear that EKs are seeing a resurgence.
EKs are designed to discover and exploit vulnerabilities on machines in order to download and execute further malicious code—but they have been in decline since a high point in May 2016, following the demise of the leading Angler and Nuclear variants. However, March saw the RIG EK surge up the rankings, being the second most-used malware worldwide throughout the period. The Terror EK also increased dramatically in usage in March, and was just one place from making it into the monthly Top 10 list.
RIG delivers exploits for Flash, Java, Silverlight and Internet Explorer. The infection chain starts with a redirection to a landing page that contains JavaScript, which then checks for vulnerable plug-ins and delivers the exploit. Terror meanwhile is relatively new, and was first detected at the start of December 2016, and contained eight different operational exploits. Both RIG and Terror have been witnessed delivering a wide variety of threats, from ransomware and banking Trojans to spambots and BitCoin miners, according to Check Point.
Three African countries, including Zambia, Malawi and Uganda, are still in the Top 10 of Check Point's Threat Index, which measures risk by country, in no small part due to the EK surge. To wit: Ransomware proved one of the most profitable tools at cyber-criminals' disposal throughout 2016, and with popular EKs now being used to deliver it, the threat shows no sign of dying down.
"The dramatic resurgence of EKs in March illustrates that older threats don't disappear forever— they simply go dormant and can be quickly redeployed,” said Rick Rogers, area manager for East and West Africa at Check Point. “It is always easier for malicious hackers to revisit and amend existing malware families and threat types rather than develop brand new ones, and EKs are a particularly flexible and adaptable threat type.”
Other popular malware in Africa includes Sality, a family of file infectors spread by infecting .exe and .scr files and via removable drives and network shares. Systems infected with Sality can communicate over a peer-to-peer (P2P) network for spamming purposes, proxying of communications, and to compromise web servers, exfiltrate sensitive data and coordinate distributed computing tasks to process intensive tasks. Also, Hiddad is gaining prominence; it’s an Android malware which repackages legitimate apps and then releases them to a third-party store. The Virut botnet and malware distributor used in DDoS attacks, spam distribution, data theft and fraud is also widespread, as is Gamarue, a modular bot that harvests financial credentials.