RIG is one of the
actively used exploit kits to distribute a variety of malware. First
spotted in 2014, the kit has a unique capability to merge with
different web technologies such as VBScript, Flash, and DoSWF to evade
detection. Recently, researchers have spotted a new activity
involving the RIG exploit kit that enables threat actors to drop the
infamous Dridex trojan.
What’s the matter?
- According to
Bitdefender researchers, the operators behind the RIG exploit kit have swapped the Raccoon Stealer malware
with Dridex trojan as part of an ongoing campaign that commenced in
January 2021.
- The switch in the
modus operandi comes in the wake of Raccoon Stealer temporarily closing
its operation in February 2022.
- Despite the complete
termination of Raccoon Stealer in late March, the unique feature of the
RIG exploit kit allowed its operators to rapidly recover from
disruption and substitute the payloads.
Other recent
activities of RIG observed
- In April, the exploit kit was used in conjunction with
RedLine Stealer in a new campaign.
- The campaign abused
an Internet Explorer vulnerability to distribute the malware.
- Once executed, the
stealer was capable of exfiltrating passwords, cookies, and credit card
data saved in browsers and cryptocurrency wallets. Additionally, the
stealer could pilfer VPN login credentials and text from files.
The bottom line
Bitdefender
researchers note that the ability to quickly swap payloads demonstrates
that threat actors are agile and quick to adapt to change. Therefore,
organizations must bolster their defense systems and periodically
monitor the activities to catch and remediate threats at an early
stage.