In the world of cyber security, good things and bad are often intertwined.

For example, the makers of Angler, the most notorious and impactful exploit kit, were arrested less than a month ago. Then Neutrino, another huge exploit kit, took a big hit when authorities stopped a huge malvertising campaign.

But this left a huge gap in the cyber criminal market, which RIG promptly came to fill.

So we published an analysis of the latest campaign of the RIG exploit kit, which is currently manipulating vulnerabilities in Adobe Flash Player and Internet Explorer to infect users with CrypMIC ransomware.

RIG Exploit Kit Picks up Where Neutrino Left Off, Spreads CrypMIC ransomware

The Neutrino EK campaign takedown that was announced 20 days ago left a big gap in the cyber crime market. And so did the arrest of Angler’s creators. But it didn’t take long for other cyber criminals to jump at the chance to increase their revenues.

Until the Neutrino malvertising rampage was stopped from targeting Internet users indiscriminately earlier this month, cyber attackers deployed massive campaigns that used malicious ads to spread CrypMIC ransomware throughdrive-by attacks. And now RIG exploit kit is picking up right where Neutrino left off.

Although there is no shortage of exploit kits on the market, one of the most popular ones was bound to gain market share. As a consequence, RIG is growing fast.

The current campaign uses the classic method of script injection to compromise legitimate web pages and turn them into vectors for malware distribution. The injected script redirects Internet traffic to multiple domains which have been hijacked and are now used for domain shadowing.

The current campaign is linked to Pseudo Darkleech, a type of infection that randomizes some of the elements to maintain the malware covert and detection rates low. As with all 2nd generation malware, the threat keeps changing, to avoid being caught by traditional antivirus:

The “Pseudo-Darkleech” infection constantly evolves. It became much stealthier than the original version. It experiments with new URL patterns in its iframes: at this point, it can be recognized by DNS shadowing and forum-like URLs. Since recently, the iframe is being injected via a creative obfuscated JavaScript code.

In the observed attacks, the payload is delivered by taking advantage of variousrecent vulnerabilities in Adobe Flash Player, a cyber criminals’ favourite.

The CrypMIC exploit is dropped into Windows temporary folder with a random file name. The file is run as the user that is logged in (example: with administrator rights), and instantly connects to a central C&C (Command & Control) server over TCP port 443.

Unfortunately, antivirus detection is very low, as a consequence of the attackers’ efforts to remain undetected for as long as possible. Only 4/57 solutions have picked it up so far – one of them is VirusTotal.

This goes to show once more that you need to think of your cyber security in layers, and never underestimate cyber criminals and their tactics.

*This article features cyber intelligence provided by CSIS Security Group researchers.