Hackers are compromising websites with iframe injections that redirect visitors to the RIG exploit kit landing page. The EK then infects the victim with Princess ransomware.
Hackers are compromising websites with iframe injections that redirect visitors to the RIG exploit kit landing page. The EK then infects the victim with Princess ransomware.

A newly discovered drive-by download campaign is infecting victims with Princess Locker ransomware, by way of the RIG exploit kit.

According to a blog post published on Thursday, researchers at Malwarebytes recently found evidence on Aug. 30 that hackers are compromising websites with iframe injections designed to redirect visitors through a gate and then on to the RIG landing page. From there, the exploit kit capitalizes on one of a number of Internet Explorer and Flash Player vulnerabilities to run the Princess malware.

Princess encrypts victims files and, in this latest campaign, is demanding a ransom of 0.0770 bitcoins, or approximately $370 as of this writing. Additionally, BleepingComputer had recently tweeted about a new Princess payment page found on the Tor network, which is now actively being used.

"We are not so accustomed to witnessing compromised websites pushing exploit kits these days," writes blog post author Jerome Segura, lead malware intelligence analyst at Malwarebytes. "The exploit kit landscape is not what it was a year ago, but we may be remiss to disregard drive-by download attacks completely."

When Princess appeared last year, it was noted for using the same Tor page template as Cerber ransomware; however, Malwarebyte's analysis of the code found the malware itself to be quite different. A researcher was able to develop a decryptor for one of Princess's earlier versions, but it does not work on newer variants "because they have correctly implemented secure functions from the Windows cryptography API," Segura explained in an interview with SC Media.