Save the Date for Zenith Live 2020 Pre-Register
Save the Date for Zenith Live 2020 Pre-Register
Blogs > Security Research

Neutrino Campaign Leveraging WordPress, Flash For CryptoWall

By: ThreatLabz

AdobeExploitExploit KitRansomwareVulnerability

Neutrino Campaign Leveraging WordPress, Flash For CryptoWall


Neutrino Exploit Kit (EK) appeared on the scene around March of 2013 and continues to remain active and incorporate new exploits. In the beginning of July, Neutrino reportedly incorporated the HackingTeam 0day (CVE-2015-5119), and in the past few days we've seen a massive uptick in the use of the kit. The cause for this uptick appears due to widespread WordPress site compromises. ThreatLabZ started seeing a new campaign where WordPress sites running version 4.2 and lower were compromised, and the image below illustrates the components involved in this campaign.  

Fig 1. Complete Neutrino WordPress campaign

In analyzing the infection cycle, there are multiple recent changes in the Neutrino code, some that are normally characteristics of Angler Exploit Kit, but others that remain unique to Neutrino.

WordPress Compromises

Similar to Angler Exploit Kit, the new wave of Neutrino is targeting outdated versions of WordPress. In fact, we have seen over 2600 unique WordPress sites being used in this campaign where more than 4200 distinct pages have been logged with dynamic iframe injection in the last month. As mentioned, all the targeted websites were running WordPress version 4.2 and lower.  

Fig 2. Event timeline overview

The goal of this campaign is to completely and fully compromise the site, which includes adding a webshell, harvesting credentials, and finally injecting an iframe that loads a Neutrino landing page. The iframe is injected into the compromised site immediately after the BODY tag, and is almost identical to recent Angler samples. Compare these recent Neutrino and Angler samples below.  

Fig 3. Neutrino on the left, Angler on the right

The code specifically targets Internet Explorer, so those using other browsers won't be served the iframe, and a cookie is used to prevent serving the iframe multiple times to the same victim. The actual Neutrino landing pages are retrieved on the backend through the injected php code, a sample of which is below:  

Fig 4. Injected php code

Note the base64 encoded value boxed in red above; this decodes to the URL below, where X, Y, and Z are integers:

This URL is used to retrieve an updated landing page URL, and we've noted that the URLs change very frequently. Additionally, the primary IP hosting the majority of landing page domains is '' which is owned by We reached out to them via email briefly explaining what we were seeing and received no response.

Neutrino Landing Page

The landing page has been updated and contains some JavaScript that only declares variables, and then a flash loader:  

Fig 5. Neutrino landing page

If flash isn't installed on the victim machine, an old flash cab is pushed to the user prior to serving the malicious SWF. Note the departure from using base64 encoded data blobs, or really using very much code at all on the landing page.  

Neutrino SWF

Past versions of the Neutrino SWF contained multiple exploit payloads encrypted via RC4. Examining this SWF shows that things have apparently changed as the structure is very different:  

Fig 6. SWF structure

Taking a look at the code shows that instead of RC4, there is a decode function that uses the input of one binary data blob to decode a second binary blob; the decoded data reveals a second SWF:  

Fig 7. Decode function for embedded SWF

Detection results for the SWF are very poor with only one vendor detecting it:  

Fig 8. Poor detection results on SWF

Carving out the embedded SWF and analyzing it shows a much more familiar structure for Neutrino, with some additional enhancements. Notably similar is the use of multiple embedded binary blobs that are RC4 encrypted:  

Fig 9. Binary data inside embedded SWF


Fig 10. Script data inside embedded SWF - characteristic of Neutrino

These binary blobs contain multiple payloads, and this has been analyzed and documented in the past, notably by Kafeine and Dennis O'Brien on Malwageddon. However, unlike past Neutrino SWFs, the RC4 keys are no longer in cleartext and decoding them requires tracing through multiple function calls. The ActionScript structure is still very recognizable though:  

Fig 11. Decoder for one binarydata 'exploitWrapper' blob

Detection on the embedded SWF is also quite poor.

Fig 12. Embedded SWF VT detection



Successful exploitation of a victim leads to an encrypted executable download. The binary is decrypted and begins beaconing almost immediately:  

Fig 13. Initial beacon summary
Fig 14. Full beacon/response sample



Looking at the traffic, we can immediately see this is CryptoWall 3.0. Sure enough, a couple minutes later we see the all too familiar 'HELP_DECRYPT' page and see connections out to the payment servers:  

Fig 15. Payment server connections


Fig 16. CryptoWall 3.0 HELP_DECRYPT page

To read more about CryptoWall, please see our previous writeup here.  

Campaign Information

As stated, the primary IP for the observed Neutrino landing pages is '' which is owned by Many of the domains pointing to that IP utilize 'xyz', 'ga', 'gq', and 'ml' TLDs. Taking a look at the whois data for some of these domains, a common attribute seems to be the name 'Max Vlapet' for .XYZ domains. Full whois domain sample for completeness: WHOIS MOHGROUP.XYZ Domain Name: MOHGROUP.XYZ  Domain ID: D9543161-CNIC  WHOIS Server:  Referral URL:  Updated Date: 2015-08-18T08:34:04.0Z  Creation Date: 2015-08-18T08:34:03.0Z  Registry Expiry Date: 2016-08-18T23:59:59.0Z  Sponsoring Registrar: AlpNames Limited  Sponsoring Registrar IANA ID: 1857  Domain Status: clientTransferProhibited  Domain Status: serverTransferProhibited  Domain Status: addPeriod  Registrant ID: ALP_44867689  Registrant Name: Max Vlapet  Registrant Organization: N/A  Registrant Street: Mausoleum str, pl.13  Registrant City: Moscow  Registrant State/Province: Moscow  Registrant Postal Code: 123006  Registrant Country: RU  Registrant Phone: +7.4959826524  Registrant Phone Ext:  Registrant Fax:  Registrant Fax Ext:  Registrant Email: [email protected]  Admin ID: ALP_44867689  Admin Name: Max Vlapet  Admin Organization: N/A  Admin Street: Mausoleum str, pl.13  Admin City: Moscow  Admin State/Province: Moscow  Admin Postal Code: 123006  Admin Country: RU  Admin Phone: +7.4959826524  Admin Phone Ext:  Admin Fax:  Admin Fax Ext:  Admin Email: [email protected]  Tech ID: ALP_44867689  Tech Name: Max Vlapet  Tech Organization: N/A  Tech Street: Mausoleum str, pl.13  Tech City: Moscow  Tech State/Province: Moscow  Tech Postal Code: 123006  Tech Country: RU  Tech Phone: +7.4959826524  Tech Phone Ext:  Tech Fax:  Tech Fax Ext:  Tech Email: [email protected]  Name Server: NS2.MOHGROUP.XYZ  Name Server: NS1.MOHGROUP.XYZ  DNSSEC: unsigned  Billing ID: ALP_44867689  Billing Name: Max Vlapet  Billing Organization: N/A  Billing Street: Mausoleum str, pl.13  Billing City: Moscow  Billing State/Province: Moscow  Billing Postal Code: 123006  Billing Country: RU  Billing Phone: +7.4959826524  Billing Phone Ext:  Billing Fax:  Billing Fax Ext:  Billing Email: [email protected]  >>> Last update of WHOIS database: 2015-08-19T00:44:12.0Z <<<  Unfortunately, very little information is available for the other TLDs in use. The backend IP serving new landing page URLs is registered to a company called 'VDS INSIDE' located in Ukraine. A dump of the 700+ malicious domains and/or landing pages we've collected is on pastebin:


WordPress, being a widely popular and free Content Management System (CMS), remains one of the most attractive targets for cyber criminals.  WordPress compromises are not new, but this campaign shows an interesting underground nexus starting with backdoored WordPress sites, a Neutrino Exploit Kit-controlled server, and the highly effective CryptoWall ransomware. This campaign also reconfirms that Neutrino Exploit Kit activity is on the rise and is still a major player in the exploit kit arena. ThreatLabZ is actively monitoring this campaign and ensuring that Zscaler customers are protected.  


Special thanks to Dhruval Gandhi for profiling compromised WordPress sites Write-up by: John Mancuso, Deepen Desai  

Suggested Blogs