A prominent cybercrime actor or group has been kicking the tires on the Neutrino Exploit Kit to move ransomware and other malware, the SANS Institute’s Internet Storm Center reported today.
Neutrino is a tier below the prolific Angler Exploit Kit, which is frequently at the heart of new attacks, largely because it has the reputation for quickly integrating exploits for the latest publicly reported zero days.
This actor’s move away from Angler to Neutrino, however, shouldn’t necessarily be viewed as the end of the line for Angler, which ultimately has been established as the successor to Blackhole as the exploit of choice. Blackhole went out of business once its keeper, a hacker known as Paunch, was arrested in October 2013.
“If this change indicates a trend, we might see a large amount of compromised websites pointing to Neutrino EK, along with a corresponding drop in Angler EK traffic,” wrote SANS ISC handler and Rackspace security engineer Brad Duncan. “However, criminal groups using these EKs have quickly changed tactics in the past, and the situation may change by the time you read this.”
There are a number of reasons a hacker or criminal group could switch weapons, ranging from the possibility the Angler group no longer wishes to do business with this group to something as simple as a pricing change on the black market for Neutrino, affording the hackers a chance to try a new attack vector.
As for Angler, it remains likely the most dynamic of exploit kits and quickly wrapped up all of the publicly disclosed previously unreported vulnerabilities from the HackingTeam breach, including an Internet Explorer zero day that Microsoft patched in July. Exploits for this vulnerability, for example, have been packaged in Angler, but not Neutrino.
As the SANS ISC report points out, infection chains originating with Neutrino aren’t as regular as those with Angler, Nuclear or Rig, for example. But as of yesterday, traffic from this one actor shifted; Duncan wrote it’s unknown whether the shift to Neutrino is permanent.
Duncan wrote that he analyzed two infection chains originating from the same compromised website.
“That same site that led to Angler EK last week is not causing Neutrino EK,” he wrote. Traffic emanating from the compromised site, actionasia[.]com had a the same injected code, but the iframe portion of the attack was pointing to Neutrino landing pages, and not Angler as before. The link is that the payload in both instances was a rash of Cryptowall 3.0 infections pointing to the same Bitcoin address for ransom payments, Duncan wrote.
“When checking the decrypt instructions for the ransom payment, the more recent CryptoWall 3.0 sample from Neutrino EK used the same bitcoin address as the Angler EK payload on 2015-08-13,” Duncan wrote. “This is the same Bitcoin address used by several CryptoWall 3.0 samples from Angler EK going back as early as 2015-07-01.”
As of yesterday, Neutrino infection traffic was also moving over a non-standard TCP port, 3712, likely as a strategy for avoiding detection, Duncan said.
It’s likely this is a temporary blip on the radar and that Angler will remain for the time being as the preferred exploit kit. It continues to add fresh exploits, witness the HackingTeam exploits, and refreshes its evasion techniques. In early July, it began changing up URL patterns, so much so that they were almost unrecognizable from just a month earlier.
While Angler still pushes out various malware payloads, it seems to have taken a liking to Cryptowall 3.0. The ransomware encrypts files on a victim’s machine, holding them hostage until a ransom of anywhere between $500 to several thousand dollars is paid in Bitcoin and before the decryption key is shared with the victim. The FBI in June raised an alert on Cryptowall and said that losses related to infections totaled more than $18 million in the U.S.