Thousands of WordPress sites host Neutrino Exploit Kit

Experts from security company Zscaler have uncovered a malware campaign which relies on thousands of hijacked WordPress sites hosting the Neutrino Exploit Kit.

According to the experts at the Zscaler security firm, cybercriminals have compromised more than 2,600 WordPress websites over the past month and deployed malicious iframes on 4,200 distinct pages. The criminals exploited vulnerable versions of WordPress 4.2, and prior, to plant the iframes which are used to redirect users to domains hosting the Neutrino exploit kit.

The Neutrino landing page is designed to exploit Flash Player vulnerabilities in order to serve the last variant of the popular ransomware CryptoWall 3.0. Also in this case the variant of the Neutrino exploit kit leveraged in the attack includes the Flash Player exploits leaked in the Hacking Team breach.

“Neutrino reportedly incorporated the HackingTeam 0day (CVE-2015-5119), and in the past few days we’ve seen a massive uptick in the use of the kit. The cause for this uptick appears due to widespread WordPress site compromises. ThreatLabZ started seeing a new campaign where WordPress sites running version 4.2 and lower were compromised, and the image below illustrates the components involved in this campaign.” Zscaler said in a blog post.

However, in the last weeks, Zscaler researchers noticed a spike in the use of Neutrino exploit kit.

After the arrest of the author of the Blackhole exploit kit, the Angler exploit kit have reached the maximum popularity, but the recent spike in the Neutrino Exploit Kit traffic demonstrated that also this Exploit Kit is considered a valid option in the criminal ecosystem.

Brad Duncan, a handler at the SANS Institute’s Internet Storm Center, confirmed the spike in the Neutrino Exploit Kit traffic.

“Our preliminary analysis indicates the actor behind a significant amount of Angler EK during recent months switched to Neutrino EK sometime this week. We don’t have enough data to know if this change is permanent,” he explained in a blog post. “If this change indicates a trend, we might see a large amount of compromised websites pointing to Neutrino EK, along with a corresponding drop in Angler EK traffic. However, criminal groups using these EKs have quickly changed tactics in the past, and the situation may change by the time you read this,”.

The report from the SANS Institute blames a cybercrime crew that had abandoned the Angler Exploit Kit and moved operations to the Neutrino exploit kit.

Researchers from both organizations confirmed that the primary IP address for the Neutrino landing page is 185[.]44[.]105[.]7, registered to a “Max Vlapet” in Moscow.

The exploitation of compromised instances of WordPress CMS is very common for cyber criminals, this campaign confirms that Neutrino Exploit Kit is still considered one of the most reliable exploit kit.

“WordPress compromises are not new, but this campaign shows an interesting underground nexus starting with backdoored WordPress sites, a Neutrino Exploit Kit-controlled server, and the highly effective CryptoWall ransomware,”“This campaign also reconfirms that Neutrino Exploit Kit activity is on the rise and is still a major player in the exploit kit arena.” added Zscaler.

Pierluigi Paganini

(Security Affairs – Neutrino Exploit Kit, cybercrime)