Batu69 Posted September 28, 2016 Share Posted September 28, 2016 RIG exploit kit takes on large malvertising campaign There has been an interesting battle between two exploit kits in the past few months. Following the demise of the Angler exploit kit in June, Neutrino EK assumed the lead position by having the top malware and malvertising campaigns defaulted to it. But since then, there have been several shake ups, and an underdog in the name of RIG EK replaced Neutrino EK on several high volume attacks from compromised websites. Today we spotted a malvertising incident on popular website answers.com (2 million visits daily) via the same pattern that was used by Angler EK and subsequently Neutrino EK via the ‘domain shadowing‘ practice and the use of the HTTPS open redirector from Rocket Fuel (rfihub.com). Contributing to its recent expansion, RIG EK was the go-to exploit kit for this campaign. Some visitors that browsed the knowledge-based website were exposed to the fraudulent and malicious advert and could have been infected without even having to click on it. Domain shadowing: https://ads.retradio.com/www/delivery/afr.php?id=69151&target=_blank&click=http://r.turn.com/{redacted} -> Referer: http://www.answers.com/Q/What_is_Windows_7_loader Open redirector and RIG EK: https://p.rfihub.com/cm?forward=http://speerhaaien.eclouds.co.uk/?wXqBcrWeKB3PAoI=l3SKfPrfJxzFGMSUb-{redacted} RIG EK, the new Neutrino? In early September we noticed a change in how RIG drops its malware payload. Rather than using the iexplore.exe process, we spotted instances where wscript.exe was the parent process of the dropped binary. This may seem like a minor difference, but it has been Neutrino’s trademark for a long time and used as a way to bypass certain proxies. Below is a comparison of the script Neutrino EK and RIG EK leverage to download the encoded malware binary. For the past weeks, RIG EK has been observed dropping the CrypMIC ransomware, a payload that Neutrino first served back in July. More of the same fake advertisers Threat actors are privileging RIG over its rival Neutrino as it can be seen from various malware campaigns. In the meantime, domain shadowing in the malvertising space is still an effective means of duping ad agencies via social engineering. While this practice is well known, it also remains a powerful method to bypass traditional defences at the gateway by wrapping the ad traffic (and malicious code) in an encrypted tunnel. Since malvertising does not require any user interaction to infect your system, you should keep your computer fully up to date and uninstall unnecessary programs. Running an additional layer of protection, such as exploit mitigation software, ensures that drive-by download attacks leveraging zero-day vulnerabilities are also stopped. Article source Link to comment Share on other sites More sharing options...
straycat19 Posted September 28, 2016 Share Posted September 28, 2016 The US Congress is looking at a bill that would make heads of agencies responsible for breaches of their respective networks and could result in demotions, pay reductions, or firing, based upon the severity. Businesses would do well to adopt the same standards. Companies/web sites that host these attacks ought to be held responsible. According to some of the best lawyers in San Francisco that I have talked to lately, their is precedence for filing class action lawsuits in cases such as the one depicted above against the hosting web site. This would give more motivation to websites policing their ads and those of their ad companies. Personally I would rather treat the malvertisers as what they are, terrorists, and go after them with special operation troops. Could you imagine a team from Delta Force 'dropping' in on a malvertiser at 3am with concussion grenades (we don't currently have any in the inventory so we would have to use conventional hand grenades) and neutralizing the objective. Now that would be a deterrent. Link to comment Share on other sites More sharing options...
steven36 Posted September 28, 2016 Share Posted September 28, 2016 The problem is no one is the USA has no authority outside it's jurisdiction no way .Most the time when anyone gets arrested for these exploit kits it takes a ;global Interpol effort . But many exploit kits are in countries were want help the USA or the west out. like RIG exploit has been making it's rounds since 2014. http://malware-traffic-analysis.net/2014/05/07/index.html The Businesses world can not hold up the law ..Being a vigilante is a crime too, only you are responsible for you're own security ..You must report breaches to the proper channels . The reason Businesses are going to be held responsible many try to hide the fact they was breached because it's bad for business and many are too cheep to buy proper security to began with . These rich companies dont pay my bills no way so i could care less what happens to them in the end . And comparing terrorism with online crime is nonsense not all hackers have ties with this. Before terrorism the Government blamed everything on Communism: they would just find something new to blame it on so they can control everyone It's the worlds own fault that they store all this info online ..The world existed for 1000s of years just fine without it . The world has dug it's own grave and dont have sense enough to reverse it. Golly gee, i trusted my life with man made technology that the whole world can try to access it and breach me sort of thing going on now in the 21st century . It just shows how pathetic the world has become and they are chasing ghost., invisible entitles, that you can not see and many are located in places were as long as they don't mess with there own country they will never be stopped .So at best all you're browser vendor can do is patch it and stop one of them like Microsoft done last patch Tuesday for a 2 year old exploit that they knew about... If people was serious about this they would be plugging holes for these old exploits like Rig. everyday but they wait years to do anything its a big freaking joke really... They be patching things that's not even ever been exploited in the wild paying millions to researchers and exploits in the wild already go for years never patched ..whats not in the wild cant harm you yet . So its a false sense of security . They can pass laws tell they turn blue in the face but there is a big problem with this. there just one country with one set of laws . There are a 197 more countries with different laws on Cyber warfare they may look good on paper ..But it's yet to been seen they accomplish anything but make people stop trusting the internet or they could destroy it . Life will go on with or without it you dont have too have it too live . If you think you do you have lost touch with reality. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.