from Understanding Java Code and Malware | Malwarebytes Unpacked
Exploit kits are going through some strange phases these days. Two major malware distribution campaigns, namely Pseudo Darkleech and EITTest traditionally reserved for Neutrino EK were redirecting to underdog RIG EK. Several security researchers (Oddly_Normal, @malware_traffic, BroadAnalysis) pointed out this unexpected behaviour on Twitter.
Our telemetry records only show a few instances of Neutrino via what we earlier described on this blog as the jQueryGate while the fingerprinting pre-gate itself was nowhere near as active.
Time will tell if this is a temporary blip or not. While we have seen some switches between EKs in the past, the Pseudo Darkleech and EITest campaigns which were once part of Angler’s distribution channels, have always been very coveted.
We will keep monitoring this situation and update this post accordingly.
IOCs:
Payload from Pseudo Darkleech:
c4daadcbb525b96644f672025f3a4f3261a40a7b6250f3c726de3f4566cb6cf3
Payload from EITest:
446a639371b060de0b4edaa8789f101eaeae9388b6389b4c852cd8323ec6757c
RELATED ARTICLES
November 5, 2012 - In old times, a citadel was a fortress used as the last line of defense. For cyber criminals it is a powerful and state-of-the-art toolkit to both distribute malware and manage infected computers (bots). Citadel is an offspring of the (too) popular Zeus crimekit whose main goal is to steal banking credentials by capturing keystrokes...
January 2, 2013 - The majority of computers get infected from visiting a specially crafted webpage that exploits one or multiple software vulnerabilities. It could be by clicking a link within an email or simply browsing the net, and it happens silently without any user interaction whatsoever. Vulnerabilities are flaws that exist in various programs and that allow someone to...
January 14, 2013 - Update (1/14/2013) Oracle has issued an emergency patch to be shipped with version 7 update 11. While we are pleased to see a quick turnaround time, we stand by our initial recommendations to disable Java in your browser. This is still the most exploited piece of software and whether it is patched or not still unnecessarily puts you...
March 14, 2013 - Ransomware is still going strong and infecting countless PCs. We happened to stumble upon an interesting sample part of the Urausy family which bypassed detection on all major antivirus products for almost an entire day before slowly being detected. In this post we will give some information on its background (where it came from) and...
April 5, 2013 - Exploit Kit authors must really love Java . Not only is it ripe with vulnerabilities but its own language provides a great platform to write and deliver malware in different ways. We are used to seeing encrypted payloads (XOR, AES encryption), applets containing both the exploit itself and the binary payload. Today we will talk...