Exploit Kit Evolution - Neutrino

Published: 2015-02-04
Last Updated: 2015-02-04 20:32:32 UTC
by Alex Stanford (Version: 1)
1 comment(s)

This is a guest diary submitted by Brad Duncan.

In September 2014 after the Neutrino exploit kit (EK) had disappeared for 6 months, it reappeared in a different form.  It was first identified as Job314 or Alter EK before Kafeine revealed in November 2014 this traffic was a reboot of Neutrino [1].

This Storm Center diary examines Neutrino EK traffic patterns since it first appeared in the Spring of 2013.

 

Neutrino EK: 2013 through early 2014

Neutrino was first reported in March 2013 by Kafeine on his Malware Don't need Coffee blog [2].  It was also reported by other sources, like Trend Micro [3].

Here's a sample of Neutrino EK from April 2013 using HTTP over port 80:

Shown above:  Neutrino EK traffic from April 2013.

By the summer of 2013, we saw Neutrino use HTTP over port 8000, and the traffic patterns had evolved.  Here's an example from June 2013, back when I first started blogging about malware traffic [4]:

Shown above:  Neutrino EK traffic from June 18th, 2013.

In October 2013, Operation Windigo (an on-going operation that has compromised thousands of servers since 2011) switched from using the Blackhole EK to Neutrino [5].

Before Neutrino EK disappeared in March of 2014, I usually found it in traffic associated with Operation Windigo.  Here are two examples from February and March 2014 [6] [7]:

Shown above:  Neutrino EK traffic from February 2nd, 2014.

Shown above:  Neutrino EK traffic from March 8th, 2014.

March 2014 saw some reports about the EK's author selling Neutrino [8].  Later that month, Neutrino disappeared.  We stopped seeing any sort of traffic or alerts on this EK.

 

Neutrino EK since December 2014

After Kafeine made his announcement and EmergingThreats released new signatures for this EK, I was able to infect a few VMs.  Here's an example from November 2014 [9]:

Shown above:  Neutrino EK traffic from November 29th, 2014.

Traffic patterns have remained relatively consistent since Neutrino reappeared.  I infected a VM on February 2nd, 2015 using this EK.  Below are the HTTP requests and responses to Neutrino EK on vupwmy.dout2.eu:12998.

  • GET /hall/79249/card/81326/aspect/sport/clear/16750/mercy/flash/clutch/1760/
    absorb/43160/conversation/universal/
  • HTTP/1.1 200 OK (text/html) - Landing page
  • GET /choice/34831/mighty/drift/hopeful/19742/fantastic/petunia/fine/12676/
    background/76767/seal/74018/street/20328/
  • HTTP/1.1 200 OK (application/x-shockwave-flash) - Flash exploit
  • GET /nowhere/44312/clad/29915/bewilder/career/pass/sinister/
  • HTTP/1.1 200 OK (text/html) - No actual text, about 25 to 30 bytes of data, shows up as "Malformed Packet" in Wireshark.
  • GET /marble/1931/batter/21963/dear/735/yesterday/6936/familiar/37370/
  • smart/8962/move/37885/
  • HTTP/1.1 200 OK (application/octet-stream) - Encrypted malware payload
  • GET /lord.phtml?horror=64439&push=75359&pursuit=wash&fond=monsieur&
    wooden=forever&content=21179&despite=liberty&stalk=shiver&faithful=10081&
    bold=35942
  • HTTP/1.1 404 Not Found OK (text/html)
  • GET /america/86960/seven/quiet/blur/belong/traveller/12743/gigantic/96057/
    trunk/69375/await/30077/cunning/39832/betray/638/
  • HTTP/1.1 404 Not Found OK (text/html)

The malware payload sent by the EK is encrypted.

Shown above:  Neutrino EK sends the malware payload.

I extracted the malware payload from the infected VM.  If you're registered with Malwr.com, you can get a copy from:

https://malwr.com/analysis/NjFjNjQyYjBkMzVhNGE4MWE4Mjc1Mzk2NmQxNjFjM2E/

This malware is similar to previous Vawtrak samples I've seen from Neutrino and Nuclear EK last month [10] [11].

 

Closing Thoughts

Exploit kits tend to evolve over time.  You might not realize how much the EK has changed until you look back through the traffic.  Neutrino EK is no exception.  It evolved since it first appeared in 2013, and it significantly changed after reappearing in December 2014.  It will continue to evolve, and many of us will continue to track those changes.

----------

Brad Duncan is a Security Researcher at Rackspace, and he runs a blog on malware traffic analysis at http://www.malware-traffic-analysis.net

References:

[1] http://malware.dontneedcoffee.com/2014/11/neutrino-come-back.html

[2] http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html

[3] http://blog.trendmicro.com/trendlabs-security-intelligence/a-new-exploit-kit-in-neutrino/

[4] http://malware-traffic-analysis.net/2013/06/18/index.html

[5] http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf

[6] http://malware-traffic-analysis.net/2014/02/02/index.html

[7] http://malware-traffic-analysis.net/2014/03/08/index.html

[8] http://news.softpedia.com/news/Neutrino-Exploit-Kit-Reportedly-Put-Up-for-Sale-by-Its-Author-430253.shtml

[9] http://www.malware-traffic-analysis.net/2014/12/01/index.html

[10] http://malware-traffic-analysis.net/2015/01/26/index.html

[11] http://www.malware-traffic-analysis.net/2015/01/29/index.html

1 comment(s)
February OUCH! Newsletter - Staying Secure on the Road: http://www.securingthehuman.org/ouch
ISC StormCast for Wednesday, February 4th 2015 http://isc.sans.edu/podcastdetail.html?id=4341

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives