Headline
RIG Exploit Kit Now Infects Victims' PCs With Dridex Instead of Raccoon Stealer
The operators behind the Rig Exploit Kit have swapped the Raccoon Stealer malware for the Dridex financial trojan as part of an ongoing campaign that commenced in January 2022. The switch in modus operandi, spotted by Romanian company Bitdefender, comes in the wake of Raccoon Stealer temporarily closing the project after one of its team members responsible for critical operations passed away in
The operators behind the Rig Exploit Kit have swapped the Raccoon Stealer malware for the Dridex financial trojan as part of an ongoing campaign that commenced in January 2022.
The switch in modus operandi, spotted by Romanian company Bitdefender, comes in the wake of Raccoon Stealer temporarily closing the project after one of its team members responsible for critical operations passed away in the Russo-Ukrainian war in March 2022.
The Rig Exploit Kit is notable for its abuse of browser exploits to distribute an array of malware. First spotted in 2019, Raccoon Stealer is a credential-stealing trojan that’s advertised and sold on underground forums as a malware-as-a-service (MaaS) for $200 a month.
That said, the Raccoon Stealer actors are already working on a second version that’s expected to be “rewritten from scratch and optimized.” But the void left by the malware’s exit is being filled by other information stealers such as RedLine Stealer and Vidar.
Dridex (aka Bugat and Cridex), for its part, has the capability to download additional payloads, infiltrate browsers to steal customer login information entered on banking websites, capture screenshots, and log keystrokes, among others, through different modules that allow its functionality to be extended at will.
In April 2022, Bitdefender discovered another Rig Exploit Kit campaign distributing the RedLine Stealer trojan by exploiting an Internet Explorer flaw patched by Microsoft last year (CVE-2021-26411).
That’s not all. Last May, a separate campaign exploited two scripting engine vulnerabilities in unpatched Internet Explorer browsers (CVE-2019-0752 and CVE-2018-8174) to deliver a malware called WastedLoader, so named for its similarities to WasterLocker but lacking the ransomware component.
“This once again demonstrates that threat actors are agile and quick to adapt to change,” the cybersecurity firm said. “By design, Rig Exploit Kit allows for rapid substitution of payloads in case of detection or compromise, which helps cyber criminal groups recover from disruption or environmental changes.”
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
Related news
An updated version of a sophisticated backdoor framework called MATA has been used in attacks aimed at over a dozen Eastern European companies in the oil and gas sector and defense industry as part of a cyber espionage operation that took place between August 2022 and May 2023. "The actors behind the attack used spear-phishing mails to target several victims, some were infected with Windows
Hello everyone! On the last day of September, I decided to record another retrospective episode on how my Vulnerability Management month went. Alternative video link (for Russia): https://vk.com/video-149273431_456239136 September was quite a busy month for me. Vulnerability Management courses I participated in two educational activities. The first one is an on-line cyber security course for […]
The RIG exploit kit (EK) touched an all-time high successful exploitation rate of nearly 30% in 2022, new findings reveal. "RIG EK is a financially-motivated program that has been active since 2014," Swiss cybersecurity company PRODAFT said in an exhaustive report shared with The Hacker News. "Although it has yet to substantially change its exploits in its more recent activity, the type and
Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter.
An Internet Explorer zero-day vulnerability was actively exploited by a North Korean threat actor to target South Korean users by capitalizing on the recent Itaewon Halloween crowd crush to trick users into downloading malware. The discovery, reported by Google Threat Analysis Group researchers Benoît Sevens and Clément Lecigne, is the latest set of attacks perpetrated by ScarCruft, which is
By Habiba Rashid The backdoor is equipped with a wide range of spying capabilities, including exfiltrating files, keylogging, and stealing browser data, etc. This is a post from HackRead.com Read the original post: North Korean APT37 Unleashes Dolphin Backdoor on South Korea
The North Korea-linked ScarCruft group has been attributed to a previously undocumented backdoor called Dolphin that the threat actor has used against targets located in its southern counterpart. "The backdoor [...] has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing
Though the once-popular browser is officially now history as far as Microsoft support goes, adversaries won't stop attacking it, security experts say.
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0739, CVE-2019-0753, CVE-2019-0862.