Heimdal Security researchers alarm about a newly-found malvertising campaign that redirects victims to malicious webpages, hosting the notorious RIG exploit kit (EK), which infects them with the CrypMIC ransomware.
These latest infections appeared just after GoDaddy and Cisco security companies took down another malvertising wave at the beginning of this month. The researchers said that the campaign was abusing advertising companies that deployed OpenX servers to add malicious codes inside ads. These ads also redirected victims to shady webpages, hosting an EK, but it this case it was the Neutrino exploit kit.
According to Heimdal, now, the number of malvertising campaigns, which rely on the RIG EK is increasing.
“RIG exploit kit has been spotted in several campaigns that use an ‘iframe src’ as the malicious inject to divert traffic to the arbitrary web pages created through domain shadowing.” – Heimdal’s Andra Zaharia wrote today.
The RIG EK installations exploit several Flash vulnerabilities, which have been recently found. Using the flaws, the RIG EK infects victims with the infamous CrypMIC ransomware, just like the Neutrino EK did.
CrypMIC is a clone of the more popular CryptXXX ransomware and it appeared for the first time during this summer.
Digital Shadows recently published a report, according to which the RIG EK is one of the five active exploit kits on the market. The other four are the Neutrino EK, the Sundown EK, the Magnitude EK, and the not so popular Hunter EK.
Experts recommended that all users should install an ad blocker as a preventive measure.