There has been a recent change in the exploit kit (EK) landscape as the RIG EK is slowly but surely moving forward to replace the notorious Neutrino, report multiple sources.
The security company Malwarebytes is the latest firm to support this conclusion. Before that, Heimdal Security, who noticed that the RIG activity is growing significantly, released a similar report. Cisco Talos also spotted the change when they helped take down a huge malvertising campaign, using the Neutrino EK. This gave RIG a huge opportunity to take over Neutrino`s campaigns and steal its clients.
“Following the demise of the Angler exploit kit in June, Neutrino EK assumed the lead position by having the top malware and malvertising campaigns defaulted to it.” – Jerome Segura of Malwarebytes said – “But since then, there have been several shake ups, and an underdog in the name of RIG EK replaced Neutrino EK on several high volume attacks from compromised websites.”
Moreover, researchers say that RIG is not only taking Neutrino`s place in malvertising campaigns but it is also using some of its course code. According to experts, Neutrino has previously relied on the wscript.exe process to infect the victims` computers with exploits. This technique was even described as “Neutrino’s trademark” since it was the only EK to use it.
When Neutrino`s activity started sinking at the beginning of this month, RIG abandoned its previous iexplore.exe process and began using Neutrino`s wscript.exe one. Furthermore, at the same time malvertising campaigns that used RIG started delivering the CryptMIC ransomware, which was dropped only by Neutrino during the whole summer.
All this points that there is a new leader in the EK market. Even though Neutrino is not completely gone, the takedown of a couple of its malvertising campaigns significantly harmed its reputation and its clients decided to move to RIG instead.
Also, Digital Shadows` report states that there aren’t many exploit kits on the market and the malware distributors don’t have that much of a choice. This year, only seven EKs have been active and two of them (Nuclear and Angler) are already gone. This leaves only the Neutrino, RIG, Hunter, Sundown and Magnitude EKs that are currently available.
Websites like Malware Traffic Analysis confirm that Neutrino has been replaced as RIG is taking the leader`s place on the malvertising market for September.
