23 June 2022

RIG Exploit Kit infects systems with Dridex instead of Raccoon due to death of the latter’s developer


RIG Exploit Kit infects systems with Dridex instead of Raccoon due to death of the latter’s developer

Hackers are now using the RIG Exploit Kit to deliver not Raccoon Stealer as they did it before, but the Dridex banking trojan.

Bitdefender Cyber Threat Intelligence Lab first spotted this trend in January 2022. According to the researchers, this switch was caused by a temporary cessation of Raccoon Stealer’s activity in February when one of its developers was killed in the Russian invasion of Ukraine.

First observed in April 2019, Raccoon Stealer is written in C++. It targets a critical vulnerability in Internet Explorer (CVE-2021-26411), which leads to a remote code execution. The malware is able to steal credit card data, email credentials, cryptocurrency wallets, and other sensitive information. The info stealer is distributed as a MaaS (malware-as-a-service) for $200 per month. Its operators provide their subscribers with an automated backend panel, bulletproof hosting, and 24/7 support.

Despite the fact that Raccoon Stealer is no longer operational, the hackers behind this new RIG Exploit Kit campaign decided not to stop their operation and quickly replaced it with the Dridex banking trojan.

The Dridex malware first appeared in 2012, and by 2015 had become one of the most prevalent banking trojans. It operates from multiple modules, which are capable of capturing screenshots, acting as a virtual machine, or incorporating the victim machine into a botnet. Dridex can also steal data from browsers, detect access to online banking applications and websites, and inject keyloggers.

Back to the list

Latest Posts

Cyber security week in review: August 5, 2022

Cyber security week in review: August 5, 2022

The cybersecurity world in brief: Two crypto platforms targeted in multimillion-dollar attacks, hackers exploited an Atlassian Confluence bug to install a never-before-seen backdoor, and more.
5 August 2022
Threat actors exploit Atlassian Confluence bug to install a never-before-seen backdoor

Threat actors exploit Atlassian Confluence bug to install a never-before-seen backdoor

Ljl Backdoor is a fully-featured malware designed to gather files and user accounts, as well as system information.
4 August 2022
Thousands of Solana wallets drained in yet another multimillion exploit

Thousands of Solana wallets drained in yet another multimillion exploit

More than 8,000 wallets have been affected in the hack.
3 August 2022