Neutrino Exploit Kit (EK) has not seen as much activity this year as more popular kits like Angler and RIG. But over the last month we have seen an increase in activity from Neutrino, with multiple campaigns using both compromised sites and advertising services.
Figure 1: Neutrino hits over the last 30 days
Although the majority of Neutrino activity in 2016 has been through compromised, otherwise legitimate sites, several new Neutrino malvertising campaigns have emerged. Like several campaigns observed in late 2015, the end payload from the exploit kit from these recent campaigns was Gamarue/Andromeda. Multiple advertising networks were involved in serving the malicious pages, which served other advertising content as well as a Neutrino landing page.
The content served by the advertising networks consisted of two iframe injections. One served the advertising content, which typically pulled from casino-related game sites. The other requested PHP page from the same host, which would serve yet another iframe that pointed to one of several Neutrino landing page domains hosted on the same IP. After multiple requests to the intermediary page, the host would stop serving the iframe redirect and instead serve a blank page, making enumerating the associated landing pages challenging.
Figure 2: Neutrino EK infection session
Figure 3: iframe redirects from malicious site
Figure 4: Neutrino EK Landing page
The landing page serves a malicious SWF in standard EK form. This exploits Flash Player and downloads, decrypts, and executes a packed Gamarue payload.
Figure 5: Flash exploit payload
Figure 6: Encrypted Malware payload
Gamarue/Andromeda is a modular trojan and a well-documented malware family that has seen many changes over the last several years. It is frequently used to download other second-stage payloads or toolkits, as well as extending its own functionality with modules downloaded after infection.
The sample attempted to contact a command and control server hosted on a domain with a similar naming scheme to the original malicious site. Other samples seen in the campaign contacted similar domains, hosted on different IPs. At one point, the botnet C2 was hosted on the same IP as the malicious domain. We observed Gamarue downloading additional modules from the callback domain.
Gamarue uses the machine volume serial number as part of its botnet registration. If multiple attempts were made to run a sample in a sandbox with the same volume serial number, the registration would fail and no further modules would be downloaded.
The Gamarue base uses several anti-analysis methods to avoid being run in a sandbox. However, the anti-analysis functionality can be bypassed by creating a registry key under “HKEY_LOCAL_MACHINE\SOFTWARE\Policies” named “is_not_vm” with the value as the volume serial number as a 32-bit hexadecimal number.
Figure 7: Gamarue callback traffic
Figure 8: Gamarue modules
Gamarue/Andromeda is analyzed in depth at https://blog.avast.com/andromeda-under-the-microscope
This exploit chain is a typical example of recent malvertising activity using Neutrino EK. Using advertising services to deliver exploit kits allows the attacker to rapidly set up new malicious domains without having to compromise existing legitimate hosts. Gamarue is still a common payload for Neutrino and other exploit kits, as it is easily customizable to serve as a downloader for a second-stage infection or extended with other modules. To help avoid infections such as these, users should always block untrusted third-party scripts and resources.
Zscaler’s ThreatLabZ has confirmed coverage for the Neutrino EK redirect & landing page scripts and Gamarue payloads, ensuring protection for organizations using Zscaler’s Internet security platform.
Malicious domain: kkkj[.]ru (18.104.22.168, 22.214.171.124)
Landing page domains:
znnn[.]ru (126.96.36.199, 188.8.131.52)
SWF exploit: D834A9891C7438B13F4A0D34ED71C84A