Tag Archive for: kit

Researchers Share New Insights Into RIG Exploit Kit Malware’s Operations

/in


RIG Exploit Kit

The RIG exploit kit (EK) touched an all-time high successful exploitation rate of nearly 30% in 2022, new findings reveal.

“RIG EK is a financially-motivated program that has been active since 2014,” Swiss cybersecurity company PRODAFT said in an exhaustive report shared with The Hacker News.

“Although it has yet to substantially change its exploits in its more recent activity, the type and version of the malware they distribute constantly change. The frequency of updating samples ranges from weekly to daily updates.”

Exploit kits are programs used to distribute malware to large numbers of victims by taking advantage of known security flaws in commonly-used software such as web browsers.

The fact that RIG EK runs as a service model means threat actors can financially compensate the RIG EK administrator for installing malware of their choice on victim machines. The RIG EK operators primarily employ malvertising to ensure a high infection rate and large-scale coverage.

As a result, visitors using a vulnerable version of a browser to access an actor-controlled web page or a compromised-but-legitimate website are redirected using malicious JavaScript code to a proxy server, which, in turn, communicates with an exploit server to deliver the appropriate browser exploit.

The exploit server, for its part, detects the user’s browser by parsing the User-Agent string and returns the exploit that “matches the pre-defined vulnerable browser versions.”

“The artful design of the Exploit Kit allows it to infect devices with little to no interaction from the end user,” the researchers said. “Meanwhile, its use of proxy servers makes infections harder to detect.”

Since arriving on the scene in 2014, RIG EK has been observed delivering a wide range of financial trojans, stealers, and ransomware such as AZORult, CryptoBit, Dridex, Raccoon Stealer, and WastedLoader. The operation was dealt a huge blow in 2017 following a coordinated action that dismantled its infrastructure.

RIG Exploit Kit

Recent RIG EK campaigns have targeted a memory corruption vulnerability impacting Internet Explorer (CVE-2021-26411, CVSS score: 8.8) to deploy RedLine Stealer.

Other browser flaws weaponized by the malware include

Source…

RIG Exploit Kit Now Infects Victims’ PCs With Dridex Instead of Raccoon Stealer

/in


RIG Exploit Kit

The operators behind the Rig Exploit Kit have swapped the Raccoon Stealer malware for the Dridex financial trojan as part of an ongoing campaign that commenced in January 2022.

The switch in modus operandi, spotted by Romanian company Bitdefender, comes in the wake of Raccoon Stealer temporarily closing the project after one of its team members responsible for critical operations passed away in the Russo-Ukrainian war in March 2022.

The Rig Exploit Kit is notable for its abuse of browser exploits to distribute an array of malware. First spotted in 2019, Raccoon Stealer is a credential-stealing trojan that’s advertised and sold on underground forums as a malware-as-a-service (MaaS) for $200 a month.

CyberSecurity

That said, the Raccoon Stealer actors are already working on a second version that’s expected to be “rewritten from scratch and optimized.” But the void left by the malware’s exit is being filled by other information stealers such as RedLine Stealer and Vidar.

Dridex (aka Bugat and Cridex), for its part, has the capability to download additional payloads, infiltrate browsers to steal customer login information entered on banking websites, capture screenshots, and log keystrokes, among others, through different modules that allow its functionality to be extended at will.

RIG Exploit Kit

In April 2022, Bitdefender discovered another Rig Exploit Kit campaign distributing the RedLine Stealer trojan by exploiting an Internet Explorer flaw patched by Microsoft last year (CVE-2021-26411).

CyberSecurity

That’s not all. Last May, a separate campaign exploited two scripting engine vulnerabilities in unpatched Internet Explorer browsers (CVE-2019-0752 and CVE-2018-8174) to deliver a malware called WastedLoader, so named for its similarities to WasterLocker but lacking the ransomware component.

“This once again demonstrates that threat actors are agile and quick to adapt to change,” the cybersecurity firm said. “By design, Rig Exploit Kit allows for rapid substitution of payloads in case of detection or compromise, which helps cyber criminal groups recover from disruption or environmental changes.”

Source...


[the_ad_group id="27628"]

Underminer Exploit Kit -The More You Check, The More Evasive You Become

/in


The Underminer exploit kit has surfaced numerous times since 2019, but here it is back again delivering the Amadey malware, as the Malwarebytes Threat Intelligence team found last week.

Exploit Kit

An exploit kit (EK), or an exploit pack, is a type of toolkit cybercriminals use to attack vulnerabilities in systems, for them to be able to distribute malware or perform other malicious activities. Exploit kits are packaged with exploits that can target commonly installed software, such as Adobe Flash®, Java®, Microsoft Silverlight®.

A typical exploit kit usually provides a management console, a bunch of vulnerabilities targeted to different applications, and several add-on functions that make it easier for a cybercriminal to launch an attack. Exploit kits typically integrate vulnerabilities of popular applications, which many users leave poorly patched.

It can also be used by someone who does not have any experience writing software code for creating, customizing, and distributing malware.

Underminer Exploit KitUnderminer EK was first seen in the wild in 2017, targeting Asian countries by first deploying bootkits a malware loaded during the boot process, controlling the operating system start up, modifying the system before security components are loaded,  for OS persistency and then a coinminer in a later stage. Back then, this EK spread by malvertising and exploiting browser vulnerabilities. One of the coinminers distributed by this EK was “Hidden Bee” – a covertly running Chinese miner.

When we dig into the Underminer EK, the authors seem to have a good grasp of anti-debugging techniques as they applied plenty of them. We will discuss the interesting ones below.

The first check this EK performs is the use of assembly rdtsc instruction – this instruction is used to determine how many CPU ticks took place since the processor was reset. This can also be used as an anti-debugging technique. The most common way is to use this instruction to get the current timestamp, save it in a register, then get another timestamp and check if the delta between the two is below an exact number of ticks that were pre-decided by the author. In our…

Source…

Yubico Facilitates Switch to Passwordless Security with WebAuthn Starter Kit

/in


Yubico has released a brief explainer for developers that are interested in its Yubico WebAuthn Starter Kit. The Kit is now available in early access, and is designed to make the transition to a passwordless authentication environment as smooth as possible.

Yubico Facilitates Switch to Passwordless Security with WebAuthn Starter Kit

To that end, the Starter Kit comes with documentation that explains the logic behind WebAuthn, as well as ready-to-run code that can be immediately deployed to enable the use of YubiKeys on any Amazon Web Services (AWS) account. The goal is to provide developers with practical step-by-step instructions for the actual implementation, while making sure that they understand why they are taking each of those steps.

In doing so, Yubico is hoping to eliminate the most common pain points for organizations looking to migrate to a passwordless authentication environment. The Starter Kit uses a dynamic, identity-based flow that will automatically direct users to the strongest authentication option available on their device or browser, whether it is device biometrics or a security key like a YubiKey. The environment itself is designed to mimic the password-based flows that developers are already familiar with, and will still support the use of passwords for those who cannot or are not ready to make the switch.

The Starter Kit can be used with a free AWS account, and is based on the AWS Serverless Application Model. To give customers a better sense of what they can do, the Kit comes with a sample web client in addition to the AWS-hosted server needed to run the solution.

According to Yubico, the Kit will give architects the theoretical background they need to design high-level systems, while simultaneously giving user-facing developers the tools they need to deploy new authentication options and enable key features like account recovery. It also shows backend developers how to manage large numbers of user credentials.

Yubico is trying to encourage the adoption of WebAuthn as a new global security standard. The company recently proposed a new WebAuthn protocol that will make it easier to create backup security keys, while AWS brought native WebAuthn support to its Single Sign-On solution.

Source…