Malwarebytes researchers spotted a large malvertising campaign delivering the RIG exploit kit on popular sites, including answers(dot)com, and using a few tricks from its rival, Neutrino.
Over the last few weeks, RIG has been spotted dropping CrypMIC, a ransomware that Neutrino first served in July and researchers warn some users that visited sites serving the malicious ads may have been infected without clicking anything and may not know it, according to a Sept. 27 blog post.
Earlier this year, RIG changed the way that it drops its malware payload, rather than using the iexplore.exe process, researchers noted instances where wscript.exe was the parent process of the dropped binary.
“The way Neutrino EK is distributing its payload is slightly better as it can evade certain proxies,” Malwarebytes Lead Malware Intelligence Analyst Jérôme Segura told SCMagazine.com via email comments. "RIG probably wanted to add this feature as well to keep up with its rival.”
He said it may seem like a minor difference but the attack method has been a Neutrino trademark for a long time. The fall of the Angler EK has left room for other exploit kits and the quality of the relationship between exploit kit operators, and malware distributors may have contributed to the growing popularity of RIG, Segura said.
Segura said evidence of RIG's success over Neutrino can be seen in its use in various malware campaigns. Users are advised to ensure that all of their systems are patched and to run an additional layer of protection such as exploit mitigation software to prevent infection.