RIG Exploit Kit (RIG EK), a prolific malware being operated as a MaaS subscription model, is enjoying the most glorious duration of its lifetime in terms of successful attacks. This financially motivated malware is currently attempting around 2,000 attacks daily, with the highest success ratio ever during its entire lifetime.
Top stats from the report
Prodaft researchers were recently able to peek into the backend web panel (called RKIT) of RIG EK to explore its infrastructure and share analysis.
- To date, RIG EK has targeted 207 countries across the globe, with an average of around 2,000 attacks per day.
- The most targeted countries are Germany, Russia, Brazil, Saudi Arabia, Spain, Egypt, Italy, France, Turkey, Algeria, Ghana, and Mexico.
- RIG EK has used a large number of exploits to target its victims, however, the highest successful infection rate (45%) has been achieved with CVE-2021-26411 (a memory corruption vulnerability in Internet Explorer).
- Meanwhile, other top exploited vulnerabilities include CVE-2016-0189 (29%) and CVE-2019-0752 (10%) in Internet Explorer.
Spike in success rate
At present, RIG EK has a success rate of 30%, thanks to the adoption of two new exploits last year..
- During its initial launch in 2017, it was primarily targeting CVE-2012-0507 (Unspecified vulnerability in Oracle Java SE) and CVE-2013-0074 (Silverlight Double Dereference Vulnerability), with a success rate of 22%.
- However, after its takedown attempt in July 2017 (via Operation Shadowfall), it resurfaced with two new exploits: CVE-2021-26411 and CVE-2020-0674 (remote code execution vulnerability in Internet Explorer), after which its successful exploitation rate jumped to 30% in 2022.
Malware distribution
Since RIG EK is available as a service model, it has been used by different adversaries to distribute all sorts of malware, the majority of them being info-stealers.
- The most propagated malware was Dridex (34%), since RIG developers had taken additional manual steps to ensure its smooth distribution.
- Other prominent malware includes SmokeLoader (26%) and RaccoonStealer (20%). Additional malware distributed via RIG EK include Zloader (2.5%), Truebot (1.8%), and IcedID (1.4%).
The bottom line
RIG EK has managed to expand its scope across hundreds of countries within eight years. Moreover, its association with several prominent malware, including Dridex, SmokeLoader, and RaccoonStealer, implies that it is still a significant threat to organizations and end users. To keep RIG EK at bay, experts recommend having a robust patch management and distribution mechanism to ensure timely updates and patches for all software.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/3783_shutterstock_2033283053.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/21e3_shutterstock_178992023.jpg)
