SANS Internet Storm Center, InfoCON: green: Actor using Angler exploit kit switched to Neutrino, (Thu, Aug 20th)

Introduction

Ive often had a hard time finding compromised websites to kick off an infection chain for the Neutrino exploit kit (EK). During the past few months,weve usuallyseen Angler EK, Nuclear EK, or Rig EK instead. But the situation changed by Wednesday 2015-08-19. Earlier this week, we stopped finding as much Angler EK and started seeing a lot more traffic for Neutrino.

Our preliminary analysis indicates the actor behind a significant amount of Angler EK duringrecent months switched to Neutrino EK sometime this week. We dont have enough data to know if this change is permanent.

This diary presents ourpreliminary analysis, and it looks at current URL patterns for Neutrino EK. In this analysis, we examine changes in two infection chains kicked off by the same compromised website. The same sitethat led to Angler EK last week isnow causing Neutrino EK.

Preliminary results

The first traffic example from Thursday 2015-08-13 has Angler EK. The second example from the same compromised website onWednesday 2015-08-19 has Neutrino EK.

Similarities in the traffic indicate these were caused by the same actor. ">1) Pages from this compromised website hadthe same injected code, but the iframechangedfrom an Angler EK landing URLto Neutrino">2) Each time, the payload was CryptoWall 3.0 using 1LY58fiaAYFKgev67TN1UJtRveJh81D2dU as the bitcoin address for ransom payment.

I noticed this ina few other compromised websites that led toAngler EK traffic last week." />

EK traffic normally requires a referrer, and Google didnot let us get to actionasia.com from its search results. I had to get at the compromised website from a Bing search. If Bing gives you a warning, it also gives you the option to proceed to the compromised site. Google will not.

On Thursday 2015-08-13, this website had injected code with an iframe leading to Angler EK [1]. Six days later on Wednesday 2015-08-19, this website showed the same pattern of injected code, but the iframe pointed to a URL for Neutrino EK. See the below images for comp" />
Shown above: Same style of injected script 6 days later, this time pointing to Neutrino EK.

Post infection traffic in both cases revealsa CryptoWall 3.0 infection. When checking the decryptinstructions for the ransom payment, the more recentCryptoWall 3.0 sample from Neutrino EKusedthe same bitcoin address asthe Angler EK payload on 2015-08-13. This is the same bitcoinaddress used byseveral CryptoWall 3.0 samples from Angler EK going back as early as" />
Shown above: Bitcoin address from the CryptoWall 3.0 decrypt instructions on 2015-08-19 after the Neutrino EK infection.

Neutrino EK traffic

Infectiontraffic from Wednesday 2015-08-19 shows Neutrino EK on 185.44.105.7 over TCP port 3712. Current URL patterns for Neutrino EK have evolved somewhat since it reappeared in December 2014 after a hiatus of several months [3]. These changes in Neutrino are relatively recent. The EKs URLs are generally shorter than last month, and they showdifferent patterns.

People have asked me why Neutrino EK uses a non-standard TCP port for its HTTP traffic. I can only guess it" />
Shown above: Neutrino EK sends the malware payload, a CryptoWall 3.0 executable (encrypted).

A link to the Hybrid-Analysis.com report for the decrypted payload (CryptoWall 3.0)is here. ">-addr.es - address check by CryptoWall"> - User checking the decrypt instructions

Traffic:

2015-08-19 16:40:07 UTC - actionasia.com - GET /
2015-08-19 16:40:13 UTC - obvpd.mohgroup.xyz:3712 - GET /bleed/fasten-22739002
2015-08-19 16:40:13 UTC - obvpd.mohgroup.xyz:3712 - GET /1998/06/02/audience/abandon/debate/hiss-happy-shore-enemy.html
2015-08-19 16:40:15 UTC - obvpd.mohgroup.xyz:3712 - GET /observation/d2V0cGNsaGtuYw
2015-08-19 16:40:18 UTC - obvpd.mohgroup.xyz:3712 - GET /dale/aHB0a2Vj
2015-08-19 16:40:22 UTC - ip-addr.es - GET /
2015-08-19 16:40:25 UTC - grizzlysts.com - POST /wp-content/uploads/rrr.php?x=nyg80cl4x4
2015-08-19 16:40:27 UTC - grizzlysts.com - POST /wp-content/uploads/rrr.php?z=7gh5okukgq5qtw
2015-08-19 16:40:31 UTC - grizzlysts.com - POST /wp-content/uploads/rrr.php?t=d8limjgdeqca
2015-08-19 16:40:40 UTC - grizzlysts.com - POST /wp-content/uploads/rrr.php?u=5cbq0udpvsjx
2015-08-19 16:40:45 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /[random string]

Snort-based alerts on the traffic

I tried reading the pcap with the latest version of Snort (2.9.7.5) on a Debian 7 host using the snort registered rule set. The subscriber ruleset is more up-to-date, but the registered ruleset is free. Make sure to use pulledporkforkeeping your rules up-to-date. Myresults show alerts for CryptoWall during the post-infection traffic, and wealso find an alert incorrectly identifying one of the EK URLs as Sweet Orange. " />

I also played back the pcap on Security Onion using Suricata and the EmergingThreats (ET) open ruleset. Like the snort registered ruleset, the ET open ruleset is free. Remember to run sudo/usr/bin/rule-updateto make sure your rules are up-to-date. The results show alerts for Neutrino EK using signatures from earlier this month. We also find alerts for CryptoWall 3.0. " />

Final words

If this change indicates a trend, we might see a large amount of compromised websites pointing to Neutrino EK, along with a corresponding drop in Angler EK traffic. However, criminal groups using these EKs have quickly changed tactics in the past, and the situation may change by the time you read this. We will continue to monitor the threat landscape and let the community know ofany significant changes.

Traffic and malware from the analysis are listed below: