• How to Spy on a Cell Phone with Mobile Spy
  • Computer Spy
  • AntiVirus & AntiSpyware
  • Payoneer
  • Spyrix Free Keylogger
  • How to Spy on a Cell Phone if you cannot access the target Cell Phone
Advanced Mobile Spy Software

Find out who your partner, children, business associates, and friends have been in contact with.



RIG exploit kit takes on large malvertising campaign

September 27, 2016by admin

There has been an interesting battle between two exploit kits in the past few months. Following the demise of the Angler exploit kit in June, Neutrino EK assumed the lead position by having the top malware and malvertising campaigns defaulted to it. But since then, there have been several shake ups, and an underdog in the name of RIG EK replaced Neutrino EK on several high volume campaigns from compromised websites.

Today we spotted a malvertising attack on popular website answers.com (2 million visits daily) via the same pattern that was used by Angler EK and subsequently Neutrino EK via the ‘domain shadowing‘ practice and the use of the HTTPS open redirector from Rocket Fuel (rfihub.com).

9H Privacy Anti-Spy Tempered Glass Screen Protector for iPhone X 6 6s 7 8 Plus

$5.49
End Date: Tuesday Mar-5-2019 6:57:16 PST
Buy It Now for only: $5.49
Buy It Now | Add to watch list

Privacy Anti-Spy Tempered Glass Screen Protector Shield for iPhone 8 / 8 Plus

$5.49
End Date: Wednesday Mar-13-2019 13:18:43 PDT
Buy It Now for only: $5.49
Buy It Now | Add to watch list

Some visitors that browsed the knowledge-based website were exposed to the fraudulent and malicious advert and could have been infected without even having to click on it.

flow2

Domain shadowing:

  • https://ads.retradio.com/www/delivery/afr.php?id=69151&target=_blank&click=http://r.turn.com/{redacted} -> Referer: http://www.answers.com/Q/What_is_Windows_7_loader

Open redirector and RIG EK:

  • https://p.rfihub.com/cm?forward=http://speerhaaien.eclouds.co.uk/?wXqBcrWeKB3PAoI=l3SKfPrfJxzFGMSUb-{redacted}

RIG EK, the new Neutrino?

In early September we noticed a change in how RIG drops its malware payload. Rather than using the iexplore.exe process, we spotted instances where wscript.exe was the parent process of the dropped binary.

2versions

This may seem like a minor difference, but it has been Neutrino’s trademark for a long time and used as a way to bypass certain proxies. Below is a comparison of the script Neutrino EK and RIG EK leverage to download the encoded malware binary.

neutrino_vs_rig

For the past weeks, RIG EK has been observed dropping the CrypMIC ransomware, a payload that Neutrino first served back in July.

More of the same fake advertisers

Threat actors are privileging RIG over its rival Neutrino as it can be seen from various malware campaigns. In the meantime, domain shadowing in the malvertising space is still an effective means of duping ad agencies via social engineering. While this practice is well known, it also remains a powerful method to bypass traditional defences at the gateway by wrapping the ad traffic (and malicious code) in an encrypted tunnel.

Since malvertising does not require any user interaction to infect your system, you should keep your computer fully up to date and uninstall unnecessary programs. Running an additional layer of protection, such as exploit mitigation software, ensures that drive-by download attacks leveraging zero-day vulnerabilities are also stopped.

Further reading:

  • A look into some RIG exploit kit campaigns

Indicators of compromise:

  • ads.retradio.com
  • 63.141.242.35

Click here for best antivirus and antispyware software

Powered by WPeMatico

Share this:

  • Click to print (Opens in new window)
  • Click to share on Twitter (Opens in new window)
  • Click to share on Pocket (Opens in new window)
  • Click to share on Skype (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • Click to share on Pinterest (Opens in new window)
  • Click to share on Reddit (Opens in new window)
  • Click to share on WhatsApp (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Tumblr (Opens in new window)
  • Click to share on Telegram (Opens in new window)

Like this:

Like Loading...

Related

Posted in: AntivirusTagged: anti spyware, anti spyware and malware free, anti spyware download, anti spyware software, antimalware, antimalware app, antimalware free, antimalware programs, antimalware vs antivirus, antivirus, antivirus apps, antivirus for mac, antivirus for windows 10, antivirus reviews, antivirus software, antivirus software free, good anti spyware

QR Code

RIG exploit kit takes on large malvertising campaign
Google
Custom Search
work for moms from home

Spyrix

Forex Trendy

Blog Stats

  • 40,113 hits

Recent Posts

  • The Advanced Persistent Threat Files: APT1
  • New Breed of Fuel Pump Skimmer? Not Really
  • Threats to users of adult websites in 2018
  • The lazy person’s guide to cybersecurity: minimum effort for maximum protection
  • How does macOS protect against malware?

Copyright © 2019 Advanced Mobile Spy Software.

Omega WordPress Theme by ThemeHall

banner
%d bloggers like this:



    Get Linked from thousands of Classifieds for FREE with one click.