Skip to content ↓ | Skip to navigation ↓

In Part I of our 2015 Infosec Wishlist series, several experts expressed their desire for security professionals to renew their focus on foundational security controls and to take stock of the systems that handle their organizations’ data. Their advice is well-reasoned. By reexamining the processes and solutions that comprise an enterprise’s information security strategy, analysts can decide what to keep and what to change for the New Year. Sometimes all it takes is a little innovation to make the most out of an existing security policy.

Apparently, this value of innovation has not been lost on the authors of several different exploit kits. Heimdal Security has observed that the Neutrino and RIG exploit kits, in particular, have incorporated new servers, new tactics and new payloads into their attacks. Together, these features make the two exploit kits even more of a nightmare for users going into 2016.

To usher in the New Year, the Neutrino exploit kit has begun slinging two different types of ransomware: Kovter and Cryptolocker2.

This discovery follows an active holiday season for the malware strains. Indeed, Heimdal observed late last year that Kovter and Cryptolocker2 were being dropped from IRS spam emails and from a PostNord scam email campaign, respectively.

But that does not account for all of the exploit kit’s changes. Neutrino has also embraced Google Blackhat SEO poisoning (such as what we witnessed from the Angler exploit kit back in October) using Adobe Flash vulnerabilities.

“The campaign … has injected malicious script code into legitimate websites,” explains Andra Zaharia of Heimdal Security in a blog post. “When visiting these websites, the victim is moved to a selection of dedicated domains which connect to a series of new servers controlled by the attackers. These new servers are also the source of the malicious payload.”

All of the servers observed in the Blackhat SEO campaign employ the top-level “.top” domain and drop a payload that comes with a series of tests to see whether the user’s browser and Adobe Flash plugin are up-to-date. If they are not, Neutrino exploits the Flash vulnerability CVE-2015-7645, which was patched by Adobe back in October, in order to infect victims’ machines with Kovter ransomware.

As for RIG, Heimdal has observed that another Blackhat SEO campaign is using drive-by attacks to spread the exploit kit.

All of the following URLs have been involved in the campaign over the past few weeks:

  • Christmas-tree-pull-apart
  • potential-kandidater-to-replace-ken-Whisenhunt-as-tennessee-titans-head-coach
  • extra-credits-addressed-chinas-propaganda-game-sesame-credit
  • Christmas-tree-pull-apart
  • Capital-one behavioral-fit-interview-questions-3

“This means that, when doing a simple Google search on how to easily remove the Christmas tree, a user can get results that point to the swarm of compromised websites where malicious script code is injected,” comments Zaharia.

Heimdal has already blocked several domains, including “domandvilma [.] com,” “naughty hour books [.] com,” and “dynamic passwords [.] us” for spreading RIG, in addition to redirecting users to phishing pages and other malicious content.

Each drive-by in this campaign looks for vulnerabilities in Adobe Flash, Adobe Reader, Adobe Acrobat and Silverlight. Successful infection leads the exploit kit to drop Pony and the TofSee Trojan, among other payloads.

As of this writing, approximately half (23/55) of anti-virus providers currently detect RIG’s payload. However, only 2/38 have spotted Neutrino’s payload.

For this reason, users are urged to keep their browsers and vulnerable apps, especially Adobe Flash, up-to-date at all times.

Title image courtesy of ShutterStock