There’s been a massive uplift in exploit kit usage by cybercriminals worldwide, with Rig reaching fifth place in South Africa and second place worldwide in the Check Point Software Technologies’ March Global Threat Impact Index.

Exploit kits, which are designed to discover and exploit vulnerabilities on machines in order to download and execute further malicious code, have been in decline since a high point in May 2016, following the demise of the leading Angler and Nuclear variants.

However, March saw the Rig EK surge up the rankings, being the second most-used malware worldwide throughout the period. The Terror exploit kit also increased dramatically in usage in March, and was just one place from making it into the monthly top ten list.

Rig delivers exploits for Flash, Java, Silverlight and Internet Explorer. The infection chain starts with a redirection to a landing page that contains JavaScript, which then checks for vulnerable plug-ins and delivers the exploit. Terror was first detected at the start of December 2016, and contained eight different operational exploits.

Both Rig and Terror have been witnessed delivering a wide variety of threats, from ransomware and banking Trojans to spambots and bitcoin miners.

Ransomware proved one of the most profitable tools at cybercriminals’ disposal throughout 2016, and with popular Exploit Kits now being used to deliver it, the threat shows no sign of dying down.

The most common malware used in South Africa in March were Virut and Dorkbot in first and second place, followed by Sality.

March 2017’s top three “most wanted” malware in South Africa:

* Virut – Botnet and malware distributor used in DDoS attacks, spam distribution, data theft and fraud. The malware is spread through infected devices such as USB sticks as well as compromised websites and files.

* Dorkbot – Backdoor bot agent which infects Windows-based hosts. It allows an attacker to access the compromised system and uses it as a Bot to perform various actions including sending spam, stealing confidential information and conducting DoS attacks against a particular target.

* Sality – Family of file infectors spread by infecting .exe and .scr files and via removable drives and network shares. Systems infected with Sality can communicate over a peer-to-peer (P2P) network for spamming purposes, proxying of communications, and to compromise web servers, exfiltrate sensitive data and coordinate distributed computing tasks to process intensive tasks.

Doros Hadjizenonos, country manager of Check Point South Africa, comments: “The dramatic resurgence of Exploit Kits in March illustrates that older threats don’t disappear forever – they simply go dormant and can be quickly redeployed.  It is always easier for malicious hackers to revisit and amend existing malware families and threat types rather than develop brand new ones, and Exploit Kits are a particularly flexible and adaptable threat type.

“To deal with the threat from Rig, Terror and other Exploit Kits, organisations need to deploy advanced security systems across the entire network, such as Check Point’s SandBlast Zero-Day Protection and Mobile Threat Prevention.”