At the beginning of 2016, the Angler exploit kit went on holiday, though the Russia-hosted RIG exploit kit took over instead.
The security researchers, at Cisco’s Talos Security Intelligence and Research Group traced RIG to Eurobyte, a single hosting provider out of Russia, which appeared to be uncooperative when it came to taking it down.
According to Nick Biasini, “Eurobyte is a downstream provider from Webzilla”.
“Webzilla was very responsive and worked to make sure the hosts were taken down. Eurobyte was not really responsive to us, despite several attempts to contact them.”
“We found that large chunks of their network were actually bad,” said Biasini. “So we decided to just block a big chunk of the address space.”
Blacklisting is meant to protect customers who use Cisco security products. Additionally, researchers addressed OpenDNS, which was already blocking the majority of this address space, in order to help them round out their protection.
This turns out to be one of the major problems cybersecurity professionals face today. A single large hosting provider might have multiple downstream providers reselling their services.
Usually, large providers are more cooperative when it comes to shutting down malicious servers, however, the smaller downstream providers cooperating with the cybercriminals, simply load up new ones.
“We were able to inflict some damage to RIG during our investigation, but were unable to actually get the actors behind the activity stopped,” Biasini reported.
The other name of RIG exploit kit is Goon, and it came out in 2013. Unlike Angler’s unstable activity levels, RIG has more of a “slow but steady” level of activity. Besides, RIG is widely-used for installing spam botnets, while Angler is known more for ransomware and other types of malware installers. Yet, both offer exploits as a service.
When a pc user visits an infected website, or a site with a malicious ad, the exploit kit starts looking for vulnerabilities in the user’s browser. In case any vulnerability is found, the malware gets quietly installed in the background.
During the past two months, the most common vulnerability used has been CVE-2015-5119. This is a critical vulnerability which affects Flash versions 18 and older, but which has been patched in more recent releases.
According to Talos, most of the RIG’s payloads were detected by more than half of antivirus vendors, though infections continue to increase, especially for Internet Explorer users on Windows platforms.