RIG Exploit kit is back and up to no good again

RIG Exploit kit (currently the most used exploit kit) is now back, in its fourth upgraded version, and it’s up to no good again. Over the last few weeks, security analysts have been observing a rootkit named CEIDPageLock being distributed by the RIG Exploit kit.

What Is an Exploit Kit?

An exploit kit or is a toolkit malicious actors use to attack vulnerabilities in systems so they can distribute malware or perform other malicious activities. A typical exploit kit usually provides a management console, a bunch of vulnerabilities targeted to different applications, and several add-on functions that make it easier for a cybercriminal to launch an attack.

RIG is currently the most active exploit kit and has been since 2017, in fact, it was said to be responsible for infecting computers globally at a rate, on average, of 27,000 per day according to statistics released back in 2015 (TrendMicro).

We released a Magnify Alert in June of 2018 when developers expanded the RIG Exploit Kit by adding a new layer to the infection chain and crypto-currency mining malware as its final payload – read it here.

The RIG Exploit kit is now back, in its fourth upgraded version, and it’s up to no good again.

A New Pairing – RIG Exploit Kit & CEIDPageLock

Checkpoint have, over the last few weeks, been observing a rootkit named CEIDPageLock being distributed by the RIG Exploit kit. This version of CEIDPageLock tries to hijack your browser and turn your home page into 2345.com – a Chinese web directory.

While already quite sophisticated for a browser hijacker, the new version of the rootkit contains new functionality that monitors user browsing and dynamically replaces the content of several popular Chinese websites with the fake homepage, whenever the user tries to visit them. Check out a detailed analysis of CEIDPageLock by Checkpoint here.

Exposure In the Wild

The infection rate, so far, for this new RIG Exploit kit malware is low and has hit mostly Chinese users, but the potential to break out, based on past success, is evident.

While CEIDPageLock might seem merely bothersome and hardly dangerous, the ability to execute code on an infected device while operating from the kernel, coupled with the persistence of the malware, makes it a potentially perfect backdoor.

Number of Infections by Country


How Can Organisations Protect Against Exploit Kits?

Promptly patch all endpoints in the system to block known threats that are integrated into exploit kits.

Deploy a solution with vulnerability protection technology to proactively shield your systems from unknown vulnerabilities based on network protocol deviations and other suspicious attack routines.

Update browsers and plugins to the latest version and maintain.

Implement browser exploit prevention technology that can protect zero-day vulnerabilities and block malware that may try to come in via your browser.

Applyign a least-privilege model also helps.