Neutrino Exploit Kit drive by attack (Feb 7, 2014)


The Dell SonicWALL Threats Research team analyzed a drive by attack involving the Neutrino Cyber-crime exploit kit which leads to the download of additional malware on the target system upon successful exploit run. The malware in this case is a Backdoor Trojan – Pakes.ADDS.

The Neutrino Exploit Kit is yet another web-based Cyber-crime exploit kit that emerged early last year with exploit payloads targeting multiple Java vulnerabilities. Like many other web-based exploit kits, it utilizes browser plugin detectors to identify target system environment which includes versions of browser, Java, Adobe Flash, Adobe Reader etc. The targeted exploit payload is then served based on the identified vulnerable application leading to malware infection. The Neutrino exploit kit follows the standard exploit flow cycle but it has a unique feature of segregating the highly obfuscated JavaScript code and the Plugin detect code in an attempt to evade AV detection.

Below is the sample of web requests made during Neutrino Exploit kit infection cycle from the target machine:

The Neutrino Exploit Kit is following the same business model as the now obsolete Blackhole Exploit Kit. Based on the information from an underground forum the author offers to rent hosted Exploit Kit servers at $40 USD per day, $150 USD per week, and $450 USD per month.

Upon successful exploit in our test case, the Exploit Kit was serving a malicious .NET executable that gets downloaded and executed on the target machine.

The downloaded file uses the following icon:

The following image shows how the malicious payload is decrypted and executed by the .NET executable.

It attempts to connect to a remote server and sends stolen information from the victim machine.

It also creates a new scheduled task as Windows Update Check to run upon Windows Logon for the dropped malware executable as seen below:

    C:WindowsSystem32schtasks.exe /CREATE /SC ONLOGON /TN “Windows Update Check – ” /TR “C:Program FilesCommon Filesdkfnvkunv99450495i49oisxcdlvd.exe” /RL HIGHEST

Dell SonicWALL UTM appliance provides protection against this threat with the following signature:

  • GAV: Pakes.ADDS (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.