Earlier this year, a disgruntled reseller leaked the source code for version 2.0 of the RIG exploit kit.
Since then, the RIG's author has released version 3.0, which was recently discovered by researchers from Trustwave's Spider Labs. The latest version uses malvertising in order to deliver a majority of its traffic, infecting some 1.25 million systems to date.
There have been a few notable changes made to RIG between versions, including a cleaner control panel that's easier to navigate, changes to the URL structure used by the kit that helps it avoid detection, and a security structure that prevents unauthenticated users from accessing internal files clearly implemented to avoid leaks such as the one that exposed the source code for the previous version.
Moreover, payloads are now stored in the database. Previously, the files were stored in a folder on the administration server, but now they're only accessible via the control panel - preventing execution on the server.
In order to deal with DDoS attacks, the RIG author has taken to using CloudFlare services, which has helped it remain online despite constant attack.
Spider Labs researchers observed two instances of RIG 3.0. According to their figures, the kit has recorded more than 3.5 million hits, resulting in 1.25 million successful infections.
This created a daily infection average of 27,000 systems, largely due to the number of Adobe Flash exploits leveraged by the kit including the exploits discovered in the cache of files leaked after Hacking Team was compromised (CVE-2015-5119, CVE-2015-5122). In addition, RIG is also using CVE-2013-2551 and CVE-2014-6332 to target Internet Explorer. When it comes to the victims, Vietnam, followed by Indonesia, Thailand, Brazil, and Turkey are the most infected locations during the time researchers observed the exploit kit in action.
The infrastructure used by RIG 3.0 is similar to what the previous version used, however the changes made to the kit have impacted detection. Since it was discovered, many vendors have failed to flag the URLs used by the exploit delivery servers.
While observing the instances, researchers determined that nearly 70 percent of the traffic being delivered to RIG could be directly linked to a number of malicious ad campaigns.
Arseny Levin, Lead Security Researcher at Trustwave, said that many of the malvertising runs were staged from a number of smaller ad networks, which at the time had no idea they were being used by criminals.
"Criminals will seek out the cheapest ad providers where they can place their malicious ads and turn that cheap traffic into infections using exploit kits. For the criminal- these infections are their profit so it makes sense, financially, to go to the lowest ad providers down the chain," he said.
Sign up for Computerworld eNewsletters.