The authors of the RIG exploit kit have bounced back after a source code leak and are now again happily infecting computers at the rate of around 27,000 machines a day.
The exploit kit, widely available at underground cybercrime markets, had its source code leaked in February.
Trustwave Spiderlabs researchers say that since that heist the "product" has been polished with a version 3.0 overhaul to reduce the likelihood that its source code could again be leaked and payloads accessed.
"Not only did RIG 3.0 manage to maintain the exploitation percentage of RIG 2.0, it also managed to vastly increase its number of hits reaching the high volume of over 3.5 million hits (impressions)," the team says in analysis.
"[It] attempted to infect 3.5 million machines and succeeded in infecting 1.25 million machines, meaning on average 27,000 infected machines per day."
Researchers pin much of the infection rate on Adobe Flash vulnerabilities including those revealed in the recent Hacking Team leak.
They say a single unnamed RIG customer is making a potential US$100,000 a month by using the exploit kit to build the Tofsee spam botnet. That attack represents 70 percent of RIG infections.
Malvertising is a vector of choice or targeting victims with RIG. Unnamed large news sites, investment consultancies, and IT providers are among those infected.
Researchers say RIG's infrastructure is resilient, noting that the virtual dedicated server middle layer which holds the kit's exploits remains on the same IP as the leaked version 2.0 and has suffered only a single antivirus detection.
Sophos analysis last month found the Angler exploit kit was the dominant player hoovering up 82 percent of the market having nearly assumed the role of scuttled hack box BlackHole.
That research oddly did not list RIG in its exploit kit market share analysis but is mentioned as a top 10 kit in the SANS Institute June analysis. ®