The operators behind the Rig Exploit Kit replaced the Raccoon Stealer malware with the Dridex financial trojan as part of an ongoing campaign that began in January 2022.
The change of modus operandi, Point by the Romanian company Bitdefender, follows the temporary closure of the project by Raccoon Stealer after the death of one of its team members responsible for critical operations during the Russian-Ukrainian war in March 2022.
The Rig Exploit Kit stands out for its misuse of browser exploits to distribute an array of malware. First spotted in 2019, Raccoon Stealer is a credential-stealing Trojan that is advertised and sold on underground forums as malware-as-a-service (MaaS) for $200 per month.
That said, the cast of Raccoon Stealer are already working on a second version which should be “rewritten from the ground up and optimized”. But the void left by the malware’s release is being filled by other information stealers such as RedLine Stealer and Vidar.
Dridex (aka Bugat and Cridex), for its part, has the ability to download additional payloads, infiltrate browsers to steal customer login information entered on banking websites, capture screenshots and log keystrokes, among others, through different modules that allow its functionality to be extended at will.
In April 2022, Bitdefender discovered another Rig Exploit Kit campaign distributing the RedLine Stealer Trojan by exploiting an Internet Explorer flaw patched by Microsoft last year (CVE-2021-26411).
That’s not all. Last May, a separate campaign exploited two scripting engine vulnerabilities in unpatched Internet Explorer browsers (CVE-2019-0752 and CVE-2018-8174) to deliver malware called WastedLoader, so named for its similarities to WasterLocker but lacking the ransomware component.
“This demonstrates once again that threat actors are agile and quick to adapt to change,” the cybersecurity firm said. “By design, Rig Exploit Kit enables rapid payload substitution upon detection or compromise, helping cybercriminal groups recover from disruptions or environmental changes.”