SECURITY EVANGELIST

It seems that cyber criminals are well rested and have also gotten back to the “office”, because out team has spotted a substantial increase in exploit kit activity for Neutrino, RIG and Angler.

Here’s what it’s all about:

Neutrino’s latest mutations: serving Kovter and Cryptolocker2



Our team at Heimdal Security has observed a very recent change in the servers that are abused by the Neutrino exploit kit. Among other malware, Neutrino now spreads ransomware from the Kovter class and ransomware from the Cryptolocker2 family.

This new campaign also comes with added surreptitious tricks: Google Blackhat SEO poisoning and an immediate focus on using Flash Player vulnerabilities as a distribution vector.

The campaign was just launched this morning and it has injected malicious script code into legitimate websites. When visiting these websites, the victim is moved to a selection of dedicated domains which connect to a series of new servers controlled by the attackers. These new servers are also the source of the malicious payload. Here is a selection of them:

formaneb [.] top
topcenta [.] top
ayolopia [.] top
nonetic [.] top
topcentc [.] top
liblinc [.] top
topcenta [.] top
nonetic [.] top
jontimb [.] top
jontimc [.] top
knottib [.] top
knottic [.] top
ritkina [.] top
ritkinb [.] top
ritkinc [.] top
temnika [.] top
temnikb [.] top
temnikc [.] top
ayolopia [.] top
diffiria [.] top
diffirib [.] top
diffiric [.] top
formaneb [.] top
formanea [.] top
formanec [.] top

When it comes to this particular campaign, Neutrino exploit kit focuses its capabilities to abuse outdated Adobe Flash Player installations. The final objective is to infect the victim’s PC with ransomware.

Here’s a quick overview of what’s new about the Neutrino exploit kit:

  • The use of top-level .top domains
  • An improved payload: the payload delivery process now includes a series of tests that can figure out if the browser and the Flash Player plugin are up to date; these tests can also detect if a debugger is present in memory
  • These tests check for the Flash Player version number and for PhantomJS, node.js or Rhino.

The CVE-2015-7645 vulnerability in Flash Player plugin is mainly abused in this campaign to infect the victims’ PCs with ransomware.

Antivirus detection of the payload is extremely limited, with 0 out of 51 solutions detecting the payload as being malicious:

neutrino

Click here for the full detection rates at the moment the campaign was announced.


The RIG exploit kit poisons Google search results with malicious links



On top of the campaign described above, our team at Heimdal Security has spotted additional spikes in activity from various exploit kits, like Angler and RIG.

This is RIG’s third version, which is now systematically abusing known vulnerabilities in popular third-party applications like Adobe Flash, Adobe Reader, Adobe Acrobat and Silverlight to plant malware on outdated Microsoft Windows PCs.

This RIG-serving campaign spread through drive-by attacks by using Google Blackhat SEO poisoning. Here are a few examples of parts of the infected URLs:

Christmas-tree-pull-apart
potential-kandidater-to-replace-ken-Whisenhunt-as-tennessee-titans-head-coach
extra-credits-addressed-chinas-propaganda-game-sesame-credit
Christmas-tree-pull-apart
Capital-one behavioral-fit-interview-questions-3

This means that, when doing a simple Google search on how to easily remove the Christmas tree, a user can get results that point to the swarm of compromised websites where malicious script code is injected.

We’ve already blocked a number of domains used in this campaign, including this small sample:

domandvilma [.] com
naughty hour books [.] com
dynamic passwords [.] us

The entire server at the IP address 192,185.21 [.] 183 is considered to be harmful. Besides drive-by exploit kits, this server also hosts tier-1 gateways to the C & C servers, phishing websites and other malicious content.

The delivered payloads vary between an infostealer from the Pony family and the TofSee Trojan. The analysis of TofSee confirmed the payload dropped on the victims’ PCs, which are at an IP address in Scandinavia.

From our data, derived from having access to RIG exploit kit version 3 panels, we have observed that this payload achieves an infection success rate of 56% on Windows 7 PCs with Internet Explorer 9. The security issues lie particularly with Adobe Flash Player and, respectively, with vulnerabilities CVE-2015-5119 (CVSS Score: 10) and CVE-2015-5122 (CVSS Score: 10), which are wreaking havoc among Windows-based PCs.

Antivirus detection of the current payload is low: 2/55 on VirusTotal.

rig exploit kit

Click here for the full detection rates at the moment the campaign was announced.

Conclusion



Our recommendation is to immediately update your Flash Player installations and keep all your software up to date at all times. Also, make sure you’re using a multi-layered protection system, so other security products can help catch the attack before your antivirus products reacts.

And if you want to ensure that you’re safe from exploit kits that constantly abuse outdated applications, you can use a solution that will automatically keep your most vulnerable apps up to date. This can close up to 85% of attack angles, according to US-CERT:

According to Homeland Security’s cyber-emergency unit, US-CERT, as many as 85% of all targeted attacks can be prevented by applying a security patch.

Ultimate Guide to Angler Exploit Kit
2016.05.18 SLOW READ

The Ultimate Guide to Angler Exploit Kit for Non-Technical People [Updated]

Angler Exploit Kit Infrastructure Analysis
2016.02.16 QUICK READ

Angler Exploit Kit Infrastructure Analysis – the Rundown You Need to Read

all About Nuclear Exploit Kit
2015.03.23 QUICK READ

All You Need to Know About Nuclear Exploit Kit

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP
168 queries in 1.875 seconds