Skip to content ↓ | Skip to navigation ↓

On June 7, 2016, the Angler exploit kit all of a sudden disappeared. It’s unclear exactly what led to Angler’s demise, but all reports indicate the exploit kit shut down after Russian authorities arrested 50 members of a hacker group that developed Lurk malware along with Angler.

So, what did the exploit kit world do in response? It did what it always does. It adapted, this time by shifting much of its campaigns to the Neutrino exploit kit.

Given the sudden uptick in popularity, Neutrino had a busy summer. Computer criminals swiftly paired the exploit kit with CryptXXX ransomware and began distributing both via script injection attacks and botnet campaigns targeting vulnerable websites.

Perhaps Neutrino’s biggest campaign came when ShadowGate, a popular initial redirection point for exploit kits, abused the OpenX ad network to redirect as many as one million users to a landing page for the exploit kit and for CrypMic ransomware.

Talos ShadowGate
Source: Cisco Talos

But if you make that much noise, someone’s bound to hear you.

Sure enough, the Talos Group got wind of the malvertising campaign and enlisted the help of domain registrar GoDaddy to shut down the registered domains hosting ShadowGate. That put a stop to the ransomware infections…but only for a moment.

Computer criminals have adapted once again by entrusting the RIG exploit kit with the ongoing distribution of CrypMic ransomware.

According to Heimdal Security, the latest campaign is a pseudo-Darkleech campaign in that it leverages malicious iframes to achieve something that resembles a Darkleech infection, or a malware infection of a server at the root level.

The campaign begins when a group of attackers leverage script injection to compromise a vulnerable website. Once they have a web page out of their control, the attackers use a technique known as domain shadowing to silently create subdomains without letting the domain owner know what they’re up to.

That’s when RIG steps in. As Heimdal’s Andra Zaharia explains:

“RIG exploit kit has been spotted in several campaigns that use an ‘iframe src’ as the malicious inject to divert traffic to the arbitrary web pages created through domain shadowing.”

Some of the domains infected in this domain include (sanitized) arizonasboonstak.artofmusicstudio [.] com, pravde2lamineer.panichconsulting [.] com, and laceriakoksverket.lovepassfilter [.] com.

The campaign serves up its final payload, CrypMic ransomware, by exploiting vulnerabilities in Adobe Flash Player. Once it’s installed onto a victim’s computer, CrypMic initiates communication with its command and control server for instructions, a connection which enables the ransomware to begin encrypting a victim’s files.

As of 21 September 2016, only 15 out of 56 anti-virus providers on VirusTotal detect the campaign.

It’s, therefore, imperative that users protect themselves against this campaign by keeping their software up to date and by maintaining an up-to-date anti-virus solution on their machines.

It also wouldn’t hurt for them to follow some ransomware prevention tips, such as backing up their information regularly and avoiding suspicious links and email attachments.

For more strategies on how you can prevent a ransomware infection, please click here.

You can also learn more about ransomware here.

Tripwire University
  • Sruthi Inguva

    A typical exploit kit includes a collection of web pages with exploits for several vulnerabilities in popular web browsers, browser add-ons, or other types of software. One reason exploit kits are so dangerous to both consumers and businesses is that an attacker needn’t be a skilled hacker to use one. Prospective attackers can buy or rent exploit kits on malicious hacker forums and other outlets.