Saturday, June 11, 2016

Feedly:Understanding Java Code and Malware | Malwarebytes Unpacked. Neutrino Exploit Kit Fills In For Angler EK In Recent Malvertising Campaigns



from Understanding Java Code and Malware | Malwarebytes Unpacked

We have seen an uptick in drive-by downloads via the Neutrino exploit kit in the past few days. In fact, this is true for various paths to infection and also confirmed by others such as Brad Duncan who saw Neutrino deliver CryptXXX via the pseudo-Darkleech and EITest campaigns.

Case in point, the recent large malvertising campaigns we wrote about are still going on but rather than using Angler EK to infect victims, we see the Neutrino exploit kit instead.

The following is a malvertising incident we caught on Yahoo!. As in previous cases, the rogue advertiser uses a shadowed domain to host the ad banner and malicious code. It’s worth pointing out that threat actors are using some of the open source OpenX ad serving code to profile their victims.

Disclosure timeline:

  • 06/08/2016: Yahoo is informed via email
  • 06/08/2016: Yahoo acknowledges receipt of our email
  • 06/09/2016: Rogue subdomain goes offline
  • 06/10/2016: Blog post about this incident is published

Malvertising flow:

  • Publisher (Yahoo Taiwan): tw.yahoo.com
  • Yahoo ads: http://ift.tt/1WJeweG
  • Fraudulent advertiser: watch.pnwpga[.]com/www/delivery/spcjs.php?{redacted}
  • Open redirect: p.rfihub.com/cm?forward=http://hiapi.t1arealize[.]top/blackness/aHVuY2hz
  • Neutrino EK landing: ufysefs.t1arealize[.]top/almost/1605620/unhappy-career-health
  • Neutrino Flash Exploit (CVE-2016-4117): hiapi.t1arealize[.]top/1977/11/19/pant/member/symbol-twist-beach-victory-wait-jail.html.swf

Flow2

Neutrino has been dropping ransomware lately, mainly CryptXXX but we have also seen it drop Cerber. At the moment, both Angler and Neutrino can exploit Flash Player up to version 21.0.0.213.  This switch between the two is not new but this very noticeable change in activity remains intriguing. After all, without Angler the exploit kit landscape just isn’t the same.


Web Analytics