Hiking Club Malvertisements Drop Monero Miners Via Neptune Exploit Kit

Exploit kit (EK) activity has been on the decline ever since Angler Exploit Kit was shut down in 2016. Fewer people using Internet Explorer and a drop in browser support for Adobe Flash – two primary targets of many exploit kits – have also contributed to this decline. Additionally, some popular redirect campaigns using PseudoDarkleech and EITest Gate to Rig Exploit Kit were shut down in first half of this year.

Despite all this, malvertising campaigns involving exploits kits remain active. The Neptune Exploit Kit (or Terror EK), which initially started as a Sundown EK copycat operation, has relied heavily on malvertisements. Early use of this exploit kit saw domains with very similar patterns dropping cryptocurrency miners through malvertisements:

• networkmarketingpro3[.]us
• networkmarketingpro2[.]us
• onlinesalesproaffiliate1[.]us
• onlinesalesproaffiliate2[.]us
• onlinesalesproaffiliate3[.]us
• onlinesalesproaffiliate4[.]us
• onlinesalesproaffiliate5[.]us
• onlinesalesproaffiliate6[.]us

Payloads spread by Neptune Exploit Kit have since diversified. Recently, we have seen changes in Neptune EK’s URI patterns, landing pages, malvertisement campaigns and login account details associated with the cryptocurrency mining payloads.

Propagation

Since July 16, our Dynamic Threat Intelligence (DTI) has observed changes in URI patterns for Neptune Exploit Kit. At the time of writing, the new campaign abuses a legitimate popup ad service (within Alexa’s top 100) with redirects to ads about hiking clubs, as shown in Figure 1.

Figure 1: Fake ad for a hiking club leading to Neptune EK

Redirects from domains associated with these ads eventually use 302 redirects to move victims to exploit kit landing pages. Fake domains involved in these redirects imitate real domains. For example, highspirittreks[.]club shown in Figure 1 spoofs highspirittreks[.]com. Other hiking fake ads use similarly spoofed legitimate site names with .club domains. Figure 2 shows a redirect from a fake site’s pop-up.

Figure 2: Silent redirect to EK landing page

FireEye Dynamic Threat Intelligence (DTI) stats show the regions being affected by this campaign (Figure 3).

Figure 3: Regions affected by the malvertisement campaign, as observed from customer data

A few instances of the redirect involve flvto[.]download (mimicking the legitimate www.flvto[.]biz) instead of hiking club fake ads. Figure 4 and Figure 5 show the legitimate domain and fake domain, respectively, for comparison’s sake.

Figure 4: Real page, flvto[.]biz (Alexa rank 2,674)

Figure 5: Fake page, flvto[.]download

Most of the ads linked to this campaign have been observed on high-traffic torrent and multimedia hosting sites.

Sites are hosted on IP 95.85.62.226. Reverse lookup for this IP shows:

• 2watchmygf[.]stream
• flvto[.]download
• highspirittreks[.]club
• treknepal[.]club

Other hosted IPs and domains of the same campaign are in the Indicators of Compromise section at the end of the post. All IPs point to locations in Amsterdam.

Since July 16, related EK infrastructure has been hosted on domains protected by Whois Guard. However, in recent activity, domains are linked to the Registrant email: ‘gabendollar399@gmx[.]com’.

The following domains are currently associated with this email:

Domain Name

|

Create Date

|

Registrar

—|—|—

itsmebecauseyoua[.]pw

|

2017-03-05

|

--

loansforevery[.]us

|

2017-04-14

|

1 HOST RUSSIA, INC

managetheworld[.]us

|

2017-04-14

|

1 HOST RUSSIA, INC

nudecams[.]us

|

2017-04-14

|

1 HOST RUSSIA, INC

Exploits/Landing Page

The landing page for the Neptune Exploit Kit redirects to further HTML and Adobe Flash exploit links after it checks the Flash versions installed on the victim’s machine (see Figure 6).

Figure 6: Landing page of Neptune EK

This EK exploits multiple vulnerabilities in one run. Most of these exploits are well-known and commonly seen in other exploit kits.

Currently, Neptune EK uses three Internet Explorer exploits and two Flash exploits:

• CVE-2016-0189 – Internet Explorer
• CVE-2015-2419 – Internet Explorer
• CVE-2014-6332 – Internet Explorer
• CVE-2015-8651 – Adobe Flash Player
• CVE-2015-7645 – Adobe Flash Player

Payload (Monero miner)

The payload is dropped as a plain executable from one of the URI’s belonging to the EK domain (same as the landing page). Figure 7 shows a typical response header for these cases.

Figure 7: Response header for Monero miner payload

Post infection traffic shows an attempt to connect to minergate[.]com (Figure 8) and a login attempt using the cpu-miner service via the login email monsterkill20@mail[.]com (Figure 9). Login attempts are invoked via the command line:

Figure 8: DNS query to minergate[.]com

Figure 9: Login attempt

Conclusion

Despite an observable decline in exploit kit activity, users are still at risk, especially if they have outdated or unpatched software. This threat is especially dangerous considering drive-by exploit kits (such as Neptune EK) can use malvertisements to seamlessly download payloads without ever alerting of the user.

FireEye NX detects exploit kit infection attempts before the malware payload is downloaded to the user’s machine. Additionally, malware payloads dropped by exploit kits are detected in all other FireEye products.

Indicators of Compromise

Malvertisement domains:

• hxxp://treknepal[.]club/
• hxxp://highspirittrecks[.]club
• hxxp://advnepaltrekking[.]club
• hxxp://nepalyogatrek[.]club
• hxxp://flvto[.]download

Malvertisement IPs:

• 95.85.62.226
• 185.82.202.36

EK domains (current active) registrant:

Domain Name: MANAGETHEWORLD.US
Domain ID: D59392852-US
Sponsoring Registrar: NAMECHEAP, INC.
Sponsoring Registrar IANA ID: 1068
Registrar URL (registration services): http://www.namecheap[.]com
Domain Status: clientTransferProhibited
Registrant ID: NLGUS4BVD3M2DN2Y
Registrant Name: kreb son
Registrant Address1: Maker 541
Registrant City: Navada
Registrant State/Province: SA
Registrant Postal Code: 546451
Registrant Country: Bulgaria
Registrant Country Code: BG
Registrant Phone Number: +44.45623417852
Registrant Email: gabendollar399@gmx[.]com
Registrant Application Purpose: P1
Registrant Nexus Category: C11
Administrative Contact ID: VNM50NNJ5Y0VNLDY
Administrative Contact Name: kreb son
Administrative Contact Address1: Maker 541
Administrative Contact City: Navada
Administrative Contact State/Province: SA
Administrative Contact Postal Code: 546451
Administrative Contact Country: Bulgaria
Administrative Contact Country Code: BG
Administrative Contact Phone Number: +44.45623417852
Administrative Contact Email: gabendollar399@gmx[.]com

Sample EK URI Pattern:

forum_jVpbUAr/showthread.php?id=xxxxxxx

Sample MD5s:

b678ac0b870b78060a2a9f599000302d
5a18c92e148bbd7f10077f8e7431326e

Acknowledgement

We would like to thanks Hassan Faizan for his contributions to this discovery.