The RIG EK continues to remain the most consistently active EK and has been distributed over several simultaneous campaigns to install ransomware, banking Trojans, and cryptocurrency mining software, according to a Sept. 12 Zscaler blog post. While the EK's activity declined slightly in the latter part of spring traffic remained steady.
Over the last three months, researchers have seen an increase in the EK's presence in Indian while its activity in Eastern Europe and Russia, a region that typically serves a significant portion of RIG hosts, saw a decrease.
Researchers also noted a significant amount of Magnitude EK activity primarily targeting countries in Southeast Asian using malvertising campaigns. Although Magnitude has been seen in a lower volume in recent years, it is still one of the longest running exploit kits.
The Terror EK, which researchers described as relatively unsophisticated managed to undergo notable changes over the last two quarters including the introduction of a number of host and version fingerprinting scripts. The EK also began dropping various malware payloads including Tofsee, Andromeda/Gamarue, and Smoke Loader.
The EK also recently started using the CVE-2017-0059 bug, an Internet Explorer exploit affecting versions 9 through 11, and the CVE-2017-0037 bug, an exploit affecting Internet Explorer 10 and 11, and Microsoft Edge.
The newest EK, Disdain, first appeared in early August 2017 and sharers code with the Terror EK and even used the same URL pattern, but draws the line with its own distinct features. The Disdain campaign observed by researchers is delivered via a gate also distributed by RIG EK.
“The techniques exploit kit authors use to hide their activities are frequently changing, and security researchers work hard to analyze and block these new threats,” researchers said in the post. “To help avoid infections such as these, users should always block untrusted third-party scripts and resources, and avoid clicking on suspicious advertisements.”