The fall of Exploit Kits: RIG EK turns to cryptocurrency

Infamous RIG Exploit Kit actively involved in cryptominers

Since the end of 2017, cybersecurity experts revealed a phenomenon – an unusually large RIG Exploit Kit^[1] payloads carrying cryptominers for Monero, Bytecoin, Elecroneum, and other CryptoMiners.

It turns out that the developers of RIG Exploit Kit did not manage to resist the crypto craze and started spreading coin miners via drive-by-download attacks.

The malvertising campaign infecting users with RIG EK to start mining cryptocurrency is dubbed as Ngay^[2] campaign and is expected to proliferate throughout the year of 2018.

The drive-by download attack is being initiated by causing complex redirection chain, including but not limited to bestabid and XML feeds upstream eventually leading to RIG EK carrying a payload with multiple cryptocurrency mining files.

Segura, well-known malware analysts from Malwarebytes, points out to the continuously increasing interest and popularity of digging cryptocurrency,^[3] so it's expected that crooks will find out new ways to hijack computers and attack them to the mining bots. The inclusion of RIG EK into this affair is a perfect illustration.

As cryptocurrencies become more and more popular, we can only expect to see an increase in malicious coin miners, driven by the prospect of financial gains and increased anonymity. […] As the mining process has become cross-platform and achievable using regular computers, this has opened new possibilities for threat actors.

Drive-by download attacks drop Monero miner accompanied by less popular currency miners

If the RIG Exploit Kit detects software vulnerabilities on the target system, it launches a larger-than usually payloads, which carry Monero miner in a leading position accompanied with Bytecoin, Elecroneum, Ethereum, Litecoin, Dash or what not.

Upon successful installation, the exploit kit enables the executables that start using system's CPU and GPU resources for mining the cryptocurrency thus rendering the PC slow and unresponsive.^[4]

Apparently, Monero,^[5] the most widely used cryptocurrency, is the primary digital currency that is sought by drive-by mining attackers. Once the payload is executed, Monero miner is being registered as a running service, which can be found in Task Manager. According to the latest reports, people can notice multiple processes of starter.exe and 3yanvarya.exe. Subsequently, other coin miners start their operations starting sucking system's resources hoisting CPU consumption up to 100 percent.

While some of the digital currency miners tend do not descend on CPU and GPU usage and take up to 30-40 percent, the crooks that are responsible for drive-by download attacks via RIG EK are craving for many cryptocurrency coins and fast.

The fall of Exploit kits

Brad Duncan, the network security researcher from Palo Alto Network, points out that the predominance of the exploit kits that were used for the distribution of ransomware, spyware, keylogger, and other severe cyber infections is coming to an end.

Since 2016 summer till the fall of 2017, not a single exploit kit operation has been revealed on the market, except Sundown and Neutrino. In comparison to how the developers of exploit kits dictated the rules before 2016, the current years seem to be extremely quiet.^[6]

Experts speculate that the tendency of exploit kits going down will hardly change. Hackers that seek to attack people with drive-by-download attacks by exploiting software vulnerabilities face many difficulties thanks to web browser developers who prefer HTML-5 policy and decline in Flash usage.

Although RIG and other infamous exploit kits can hardly push ransomware, hackers found a way to misuse them for the execution of cryptominers and Trojans info stealer. However, an in-depth analysis showed that the extent of such attacks is not vast. Therefore, it is expected that smaller numbers of exploit kit victims will lead to a complete crash of such and similar attacks.