While overall exploit kit activity has been somewhat low during the past weeks, we have noted some changes in Neutrino, the leading EK in the post Angler era, as well as a spike in its use to infect victims via malvertising attacks.

The Neutrino developers have made some changes to the landing page source code as well as integrated a new exploit. The malware campaigns that once were Angler’s continue to point to Neutrino including a large malvertising attack on top adult sites we detected a few days ago.

In this post, we review noteworthy events that have happened recently.

Neutrino EK core

Landing page changes

Around July 5th, the Neutrino landing page changed patterns by adding some HTML tags and random strings, most likely to make identification harder. The landing page is the first point of contact between the user’s browser and an exploit kit. It typically checks the system for vulnerabilities and then fires up various exploits before eventually dropping the malware payload.

Before July 5th: a script tag with random values precedes the call for the malicious SWF.

before

On July 5th: The script tag is still there but we notice the addition of some div tags with text strings, followed by the call for the malicious SWF.

on

After July 5th, to present: The script tag is now gone, and numerous div tags are added, also with text strings that change regularly.

after

New IE vulnerability added

While Neutrino lacks the sophistication and rapid integration of new exploits which made Angler famous, it is the first to adopt an Internet Explorer vulnerability (CVE-2016-0189) patched by Microsoft in May.

This was originally a zero-day exploited in targeted attacks in South Korea, but the integration into the exploit kit follows a proof of concept published in late June.

Once again, this new vulnerability is bundled with others into a single malicious Flash file, a signature move for Neutrino which likes to use Flash as a multi-purpose weapon.

MBAE

Distribution campaigns

  • Hacked sites

Compromised websites remain one of the top and most reliable distribution vector as website owners often don’t clean up their website or struggle cleaning them up. From those hacked servers, there are various campaigns or gates that perform the final redirection to the exploit kit (EITest, AfraidGate, Darkleechrealstatistics). These were typically the realm of Angler but went to Neutrino when the former disappeared.

  • Malvertising

In terms of malvertising activity, we saw a large campaign around July 9th which lasted a few days. This affected several top adult sites which normally attract millions of visitors each day, making them a great malware delivery avenue.

Referer: drtuber.com/video/1107472/subtitled-{NSFW}
-> Neutrino EK: onopphfwll.rcouldpink.top/call/eHVrc252

Keeping ahead of the competition

To be most effective, an exploit kit needs to constantly weaponize the latest vulnerabilities available but also possess some anti detection tricks to make it a stealthy infection delivery platform. It is clear that Neutrino has been adopted as the go-to EK and is being used via different actors in large campaigns with ransomware (Locky) being the most common payload being distributed.

Malwarebytes Anti-Exploit detects and blocks Neutrino which is currently exploiting several Flash Player and Internet Explorer vulnerabilities.