The latest build of the Rig exploit kit has returned to the hacker marketplace and has infected 1.25 million machines in the past six weeks, according to research carried out by Trustwave.
Known as Rig 3.0, the latest version of the malware can infect up to 27,000 computers in a single day, and the research suggests that, despite similar infrastructure to the previous build, it is now more secure than ever.
This comes after a section of the Rig 2.0 source code was leaked online by one unhappy customer earlier this year. However, it is the turnaround time of this new release that is of particular interest to security researchers.
The Rig exploit kit is roughly one year old and is primarily used by hackers to spread malvertising, exploiting flaws in Flash, Java and Microsoft Silverlight.
The Trustwave research revealed that 90 percent of the traffic flowing through Rig was the result of malicious advertising.
"Many large websites were abused by malvertising campaigns in order to redirect visitors to the Rig exploit kit. These include large news sites, investment consulting firms, IT solution provides, etc, all of them ranked in Alexa's top 3000," the report stated.
However, the rate of infection remains a critical feature of Rig. Since the release of the new build, the kit has landed 3.5 million potential victims.
One of the reasons for the high infection rate is that Rig takes advantage of the vulnerabilities recently discovered in Flash as a result of the Hacking Team data leaks.
"Some of the exploits have been a result of reverse-engineering patches, and others are the direct result of the Hacking Team leak, which included Adobe Flash zero-day exploits CVE-2015-5119 and CVE-2015-5122," said the report.
One of the main ‘payloads' identified by Trustwave is the Tofsee spambot that accounts for 70 percent of all infections and is reportedly managed by a single customer.
The customer, identified in the report as ‘Customer X', managed to infect up to 500,000 machines a month with the Tofsee payload.
"The going rate for spam campaigns is approximately $0.50 per 1,000 successfully sent emails. This particular payload of Tofsee was observed in our labs attempting to send approximately one million emails a day from a single bot, of which about 2,000 were successfully sent," the report stated.
Based on a number of variables, including a machine already being infected with malware and anti-virus software stopping the spread, Trustwave said that the successful spam message would be recycled by roughly 200,000 machines.
"We need to account for the various expenses Customer X has to incur (exploit kit rental, traffic for the exploit kit, bullet proof hosting, Tofsee licence). Eventually we end up with a realistic, yet somewhat conservative, estimate of revenue: $60,000 to $100,000," said the report.
"It seems that exploit kits, much like the mythological hydra, just keep coming back. Chopping off one head merely grows two new ones to replace it. They are growing more accurate, more sophisticated and, worst of all, more widespread."
Karl Sigler, threat intelligence manager at Trustwave, told V3 that the most exploited country is Brazil with roughly 450,000 infected victims.
This is followed by Vietnam with 302,705 infections, the US with 45,889, Canada with 3,913 and the UK with 9,662.
Sigler indicated that the turnaround between exploit kids was particularly quick, and that there is "fierce competition" in the hacker underground, with many vendors lowering their prices as a result.
Lawrence Munro, director of EMEA and APAC at Trustwave, explained that the best way to avoid falling victim to the attack is to keep all software up to date and to "uninstall any software not actually in use".
"Businesses should be using managed anti-malware controls, such as gateway technologies that can detect and strip out malware in real time. These kinds of security controls help prevent such an attack," he added.
Australian government to require technology and communications companies to provide access to messages
New bill avoids demanding 'backdoors' in encryption, but includes measures to compel companies to provide access to encrypted communications
Indonesian overclocker Ivan Cupa (with the aid of a lot of liquid nitrogen) achieves record overclock on AMD's latest Threadripper
Ssupermassive black hole is so big it corresponds to four per cent of the galaxy's total mass
Imminent attack will target a single bank with cloned cards used to fraudulently withdraw millions over one weekend