The RIG Exploit Kit is undergoing its most successful period, attempting roughly 2,000 intrusions daily and succeeding in about 30% of cases, the highest ratio in the service's long operational history. By exploiting relatively old Internet Explorer vulnerabilities, such as CVE-2016-0189, CVE-2019-0752, CVE-2020-0674, and CVE-2021-26411, RIG EK has been seen distributing various malware families, including Dridex, SmokeLoader, and RaccoonStealer. According to a detailed report by Prodaft, whose researchers gained access to the service's backend web panel, the exploit kit remains a significant large-scale threat to individuals and organizations.
RIG EK primarily pushes information-stealing and initial access malware, with Dridex being the most common (34%), followed by SmokeLoader (26%), RaccoonStealer (20%), Zloader (2.5%), Truebot (1.8%), and IcedID (1.4%). As Prodaft researcher stated, “The RIG administrator had taken additional manual configuration steps to ensure that the malware was distributed smoothly. Considering all these facts, we assess with high confidence that the developer of Dridex malware has a close relationship with the RIG's admins.”