RIG is one of the actively used exploit kits to distribute a variety of malware. First spotted in 2014, the kit has a unique capability to merge with different web technologies such as VBScript, Flash, and DoSWF to evade detection. Recently, researchers have spotted a new activity involving the RIG exploit kit that enables threat actors to drop the infamous Dridex trojan.

What’s the matter?

  • According to Bitdefender researchers, the operators behind the RIG exploit kit have swapped the Raccoon Stealer malware with Dridex trojan as part of an ongoing campaign that commenced in January 2021.
  • The switch in the modus operandi comes in the wake of Raccoon Stealer temporarily closing its operation in February 2022.
  • Despite the complete termination of Raccoon Stealer in late March, the unique feature of the RIG exploit kit allowed its operators to rapidly recover from disruption and substitute the payloads.

Other recent activities of RIG observed

  • In April, the exploit kit was used in conjunction with RedLine Stealer in a new campaign. 
  • The campaign abused an Internet Explorer vulnerability to distribute the malware.
  • Once executed, the stealer was capable of exfiltrating passwords, cookies, and credit card data saved in browsers and cryptocurrency wallets. Additionally, the stealer could pilfer VPN login credentials and text from files.

The bottom line

Bitdefender researchers note that the ability to quickly swap payloads demonstrates that threat actors are agile and quick to adapt to change. Therefore, organizations must bolster their defense systems and periodically monitor the activities to catch and remediate threats at an early stage. 

Cyware Publisher

Publisher

Cyware