This post was originally published on this site

ltechnologygroup.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.

Exploit kit (EK) activity has been on the decline ever since Angler
Exploit Kit was shut down
in 2016. Fewer
people using Internet Explorer
and a drop
in browser support for Adobe Flash
– two primary targets of many
exploit kits – have also contributed to this decline. Additionally,
some popular redirect campaigns using PseudoDarkleech
and EITest Gate to Rig Exploit Kit
were shut down in first half
of this year.

Despite all this, malvertising
campaigns involving exploits kits
remain active. The Neptune
Exploit Kit (or Terror EK), which initially started as a Sundown EK
copycat operation, has relied heavily on malvertisements. Early use of
this exploit kit saw domains with very similar patterns dropping
cryptocurrency miners through malvertisements:

  • networkmarketingpro3[.]us
  • networkmarketingpro2[.]us
  • onlinesalesproaffiliate1[.]us
  • onlinesalesproaffiliate2[.]us
  • onlinesalesproaffiliate3[.]us
  • onlinesalesproaffiliate4[.]us
  • onlinesalesproaffiliate5[.]us
  • onlinesalesproaffiliate6[.]us

Payloads spread by Neptune Exploit Kit have since diversified.
Recently, we have seen changes in Neptune EK’s URI patterns, landing
pages, malvertisement campaigns and login account details associated
with the cryptocurrency mining payloads. 

Propagation

Since July 16, our Dynamic Threat Intelligence (DTI) has observed
changes in URI patterns for Neptune Exploit Kit. At the time of
writing, the new campaign abuses a legitimate popup ad service (within
Alexa’s top 100) with redirects to ads about hiking clubs, as shown in
Figure 1.


Figure 1: Fake ad for a hiking club
leading to Neptune EK

Redirects from domains associated with these ads eventually use 302
redirects to move victims to exploit kit landing pages. Fake domains
involved in these redirects imitate real domains. For example,
highspirittreks[.]club shown in Figure 1 spoofs highspirittreks[.]com.
Other hiking fake ads use similarly spoofed legitimate site names with
.club domains. Figure 2 shows a redirect from a fake site’s pop-up.


Figure 2: Silent redirect to EK landing page

FireEye Dynamic Threat Intelligence (DTI) stats show the regions
being affected by this campaign (Figure 3).   


Figure 3: Regions affected by the
malvertisement campaign, as observed from customer data

A few instances of the redirect involve flvto[.]download (mimicking
the legitimate www.flvto[.]biz) instead of hiking club fake ads.
Figure 4 and Figure 5 show the legitimate domain and fake domain,
respectively, for comparison’s sake.


Figure 4: Real page, flvto[.]biz (Alexa
rank 2,674)


Figure 5: Fake page, flvto[.]download

Most of the ads linked to this campaign have been observed on
high-traffic torrent and multimedia hosting sites.

Sites are hosted on IP 95.85.62.226. Reverse lookup for this
IP shows:

  • 2watchmygf[.]stream
  • flvto[.]download
  • highspirittreks[.]club
  • treknepal[.]club

Other hosted IPs and domains of the same campaign are in the
Indicators of Compromise section at the end of the post. All IPs point
to locations in Amsterdam.

Since July 16, related EK infrastructure has been hosted on domains
protected by Whois Guard. However, in recent activity, domains are
linked to the Registrant email: ‘gabendollar399@gmx[.]com’.  

The following domains are currently associated with this email:

Domain Name

Create Date

Registrar

itsmebecauseyoua[.]pw

2017-03-05

loansforevery[.]us

2017-04-14

1 HOST RUSSIA, INC

managetheworld[.]us

2017-04-14

1 HOST RUSSIA, INC

nudecams[.]us

2017-04-14

1 HOST RUSSIA, INC

Exploits/Landing Page

The landing page for the Neptune Exploit Kit redirects to further
HTML and Adobe Flash exploit links after it checks the Flash versions
installed on the victim’s machine (see Figure 6).


Figure 6: Landing page of Neptune EK

This EK exploits multiple vulnerabilities in one run. Most of these
exploits are well-known and commonly seen in other exploit kits.

Currently, Neptune EK uses three Internet Explorer exploits and two
Flash exploits:

Payload (Monero miner)

The payload is dropped as a plain executable from one of the URI’s
belonging to the EK domain (same as the landing page). Figure 7 shows
a typical response header for these cases.


Figure 7: Response header for Monero
miner payload

Post infection traffic shows an attempt to connect to
minergate[.]com (Figure 8) and a login attempt using the cpu-miner
service via the login email monsterkill20@mail[.]com (Figure 9). Login
attempts are invoked via the command line:


Figure 8: DNS query to minergate[.]com


Figure 9: Login attempt

Conclusion

Despite an observable decline in exploit kit activity, users are
still at risk, especially if they have outdated or unpatched software.
This threat is especially dangerous considering drive-by exploit kits
(such as Neptune EK) can use malvertisements to seamlessly download
payloads without ever alerting of the user.

FireEye NX detects
exploit kit infection attempts
before the malware payload is
downloaded to the user’s machine. Additionally, malware payloads
dropped by exploit kits are detected in all other FireEye products.

Indicators of Compromise

Malvertisement domains:
  • hxxp://treknepal[.]club/
  • hxxp://highspirittrecks[.]club
  • hxxp://advnepaltrekking[.]club
  • hxxp://nepalyogatrek[.]club
  • hxxp://flvto[.]download
Malvertisement IPs:
  • 95.85.62.226
  • 185.82.202.36
EK domains (current active) registrant:

Domain Name: MANAGETHEWORLD.US
Domain ID: D59392852-US
Sponsoring Registrar: NAMECHEAP, INC.
Sponsoring Registrar IANA ID: 1068
Registrar URL (registration services):
http://www.namecheap[.]com
Domain Status:
clientTransferProhibited
Registrant ID: NLGUS4BVD3M2DN2Y
Registrant Name: kreb son
Registrant Address1: Maker 541
Registrant City: Navada
Registrant State/Province: SA
Registrant Postal Code: 546451
Registrant Country:
Bulgaria
Registrant Country Code: BG
Registrant Phone Number: +44.45623417852
Registrant Email:
gabendollar399@gmx[.]com
Registrant Application Purpose:
P1
Registrant Nexus Category: C11
Administrative Contact ID: VNM50NNJ5Y0VNLDY
Administrative Contact Name: kreb son
Administrative Contact Address1: Maker 541
Administrative Contact City: Navada
Administrative Contact State/Province: SA
Administrative Contact Postal Code: 546451
Administrative Contact Country: Bulgaria
Administrative Contact Country Code: BG
Administrative Contact Phone Number: +44.45623417852
Administrative Contact Email: gabendollar399@gmx[.]com

Sample EK URI Pattern:

forum_jVpbUAr/showthread.php?id=xxxxxxx

Sample MD5s:

b678ac0b870b78060a2a9f599000302d
5a18c92e148bbd7f10077f8e7431326e

Acknowledgement

We would like to thanks Hassan Faizan for his contributions to this discovery.

At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.

Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group, https://www.ltechnologygroup.com.