RIG exploit kit strikes again, cryptocurrencies malvertising campaign

News by Larry Jaffee

A malvertising campaign uses decoy websites pushing cryptocurrencies and then redirects users to the RIG exploit kit, Malwarebytes Labs said.

A malvertising campaign uses decoy websites pushing cryptocurrencies and then redirects users to the RIG exploit kit, Malwarebytes Labs said.

The decoy page contains a third-party JavaScript that appears to be conditionally loaded, based on the visitor's user agent and geolocation, according to a 28 February blog post.

One spoof site carries the url http://investingtodayfix[dot]top with such enticing copy as  “Earns Profit,” “the best invest site” and “we show you how.”

“That JavaScript contains many different ways to fingerprint users and determine whether they are legitimate or not by validating some checks,” says Jerome Segura, Malwarebytes Labs' lead malware intelligence analyst, who called the campaign “Coins LTD.”

Segura examined the JavaScript code, which he found contains many different ways to fingerprint users, and determine whether they are legitimate or not by validating some checks:

  • getHasLiedLanguages
  • getHasLiedResolution
  • getHasLiedOS
  • getHasLiedBrowser

The scheme features filtering steps to avoid bots, relying on a decoy gate, a ploy getting tapped more often these days by cyber-attackers, he notes.

Topics:
Crime & Threats

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events