Neutrino EK Spotted Leveraging Patched IE Zero Day

Attackers behind the Neutrino Exploit Kit didn’t take long to co-op a recently patched Internet Explorer zero-day into its arsenal.

Researchers claim the kit has been pushing CVE-2016-0189, a vulnerability that was reportedly used in targeted attacks on South Korean organizations earlier this year. Microsoft fixed the vulnerability, which affects Internet Explorer’s scripting engines, in May.

Four researchers with FireEye, Kenneth Johnson, Sai Omkar Vashisht, Yasir Khalid, and Dan Caselden, explained Thursday how attackers managed to leverage published source code for the exploit.

The researchers claim that the criminals behind Neutrino must have noticed when Theori, an Austin-based cybersecurity R&D startup, developed a proof-of-concept exploit around the vulnerability in June.

> Researchers at Theori published an analysis of Internet Explorer 11 VBScript Memory Corruption (with PoC exploit) <https://t.co/N6KsQbE30o&gt;
>
> — Theori (@theori_io) June 23, 2016

Researchers with Theori deconstructed the vulnerability following Microsoft’s Patch Tuesday release that month and were able to compare the original to the patched programs, identify the root cause of the vulnerability and devise a proof-of-concept around it.

FireEye researchers claim the exploit in Neutrino is exactly the same as the exploit that Theori came up with, suggesting the attackers simply borrowed the firm’s PoC.

The bug can be exploited when a lock isn’t put on an array before its worked on, something that can lead to an issue – and eventually memory corruption – if the array is accessed when another function is in the middle of working on it. The vulnerability can also be exploited to achieve remote code execution, assuming a victim using IE, lands on a site hosting the exploit.

The Neutrino kit works by embedding several exploits – including CVE-2016-0189 – into a Shockwave (.SWF) file that once run, scans the system in order to see which vulnerability to exploit.

The researcher Kafiene, who blogs at Malware Don’t Need Coffee, discussed earlier this week how he’d seen the CVE integrated into Neutrino, even posting a screenshot of the kit, dropping Locky, complete with its list of exploits,

In recent months a handful of malvertising and ransomware campaigns have pivoted towards kits like RIG and Neutrino in the wake of dying, if not already dead kits like Angler and Nuclear. In a report last month Proofpoint said that Neutrino dropping CryptXXX accounted for 75 percent of its observed exploit kit traffic while another 10 percent combined of Neutrino and Magnitude was dropping Cerber. While they were successful for a long stretch of time, activity from Nuclear and Angler has been basically non-existent since the end of April and the beginning of June, respectively, Kafiene told Threatpost last month.