23 June 2022

RIG Exploit Kit infects systems with Dridex instead of Raccoon due to death of the latter’s developer


RIG Exploit Kit infects systems with Dridex instead of Raccoon due to death of the latter’s developer

Hackers are now using the RIG Exploit Kit to deliver not Raccoon Stealer as they did it before, but the Dridex banking trojan.

Bitdefender Cyber Threat Intelligence Lab first spotted this trend in January 2022. According to the researchers, this switch was caused by a temporary cessation of Raccoon Stealer’s activity in February when one of its developers was killed in the Russian invasion of Ukraine.

First observed in April 2019, Raccoon Stealer is written in C++. It targets a critical vulnerability in Internet Explorer (CVE-2021-26411), which leads to a remote code execution. The malware is able to steal credit card data, email credentials, cryptocurrency wallets, and other sensitive information. The info stealer is distributed as a MaaS (malware-as-a-service) for $200 per month. Its operators provide their subscribers with an automated backend panel, bulletproof hosting, and 24/7 support.

Despite the fact that Raccoon Stealer is no longer operational, the hackers behind this new RIG Exploit Kit campaign decided not to stop their operation and quickly replaced it with the Dridex banking trojan.

The Dridex malware first appeared in 2012, and by 2015 had become one of the most prevalent banking trojans. It operates from multiple modules, which are capable of capturing screenshots, acting as a virtual machine, or incorporating the victim machine into a botnet. Dridex can also steal data from browsers, detect access to online banking applications and websites, and inject keyloggers.

Back to the list

Latest Posts

Researchers uncovered undetectable malware linked to Russia's APT

Researchers uncovered undetectable malware linked to Russia's APT

According to a recent report published by Palo Alto Networks, new piece of malware currently evades 56 antivirus products.  
6 July 2022
New ransomware operation RedAlert puts victims on a "board of shame"

New ransomware operation RedAlert puts victims on a "board of shame"

At this point, only one victim is listed on the RedAlert’s data leak website, indicating that the development is very new.
6 July 2022
Microsoft silently issued a fix for ‘ShadowCoerce’ NTLM Relay attack

Microsoft silently issued a fix for ‘ShadowCoerce’ NTLM Relay attack

Despite patching the flaw, Microsoft hasn’t provided any details about it and assigned a CVE ID yet.
6 July 2022