RIG exploit kit takes over while Angler on vacation
Researchers at Cisco's Talos Security Intelligence and Research Group traced RIG to a single hosting provider out of Russia, Eurobyte, which proved to be uncooperative when it came to taking it down.
"Eurobyte is a downstream provider from Webzilla," said threat researcher Nick Biasini. "Webzilla was very responsive and worked to make sure the hosts were taken down. Eurobyte was not really responsive to us, despite several attempts to contact them."
In fact, even as Webzilla shut down RIG servers, Eurobyte would simply bring up new ones.
"We found that large chunks of their network were actually bad," said Biasini. "So we decided to just block a big chunk of the address space."
The blacklisting will protect customers who use Cisco security products. Researchers also reached out to OpenDNS, which was already blocking the majority of this address space, to help them round out their protection.
This underscores one of the major problems cybersecurity professionals face today. A single large hosting provider might have multiple downstream providers reselling their services.
The large providers are usually more cooperative when it comes to shutting down malicious servers, but the smaller downstream providers cooperating with the cybercriminals, simply load up new ones.
"We were able to inflict some damage to RIG during our investigation, but were unable to actually get the actors behind the activity stopped," Biasini said in his report.
The RIG exploit kit, also known as Goon, has been around since 2013. And while Angler's activity levels scale up and down in waves, RIG has more of a "slow but steady" level of activity.
Another difference is that RIG is a popular way to install spam botnets, while Angler is known more for ransomware and other types of malware installers.
But both offer exploits as a service, according to Biasini.
An unsuspecting user visits an infected website, or a site with a malicious ad, and the exploit kit then looks for vulnerabilities in the user's browser. If there's a vulnerability, then the malware is quietly installed in the background.
Biasini declined to name specific websites or advertising networks that have been hit by this exploit kit.
"We have no visibility into the back end of the advertising side of it," he said.
Over the past couple of months, the most common vulnerability used has been CVE-2015-5119, a critical vulnerability which affects Flash versions 18 and older, but which has been patched in more recent releases.
Most of RIG's payloads were detected by more than half of antivirus vendors, but infections continue to mount up, particularly for Internet Explorer users on Windows platforms, according to the Talos report.