Neptune exploit kit used to deliver Monero cryptocurrency miners via malvertising

According to a new report published by FireEye, crooks have been using the Neptune exploit kit to deliver cryptocurrency miners via malvertising campaigns.

According to experts at FireEye, crooks are exploiting the Neptune exploit kit (aka Terror EK, Eris, and Blaze) to delivery cryptocurrency miners via malvertising campaigns. The Neptune exploit kit was first spotted in January and was initially classified as a variant of the Sundown exploit kit due to the several similarities in its code.

“The Neptune Exploit Kit (or Terror EK), which initially started as a Sundown EK copycat operation, has relied heavily on malvertisements. Early use of this exploit kit saw domains with very similar patterns dropping cryptocurrency miners through malvertisement” reads the analysis published by FireEye.

We already reported a significant drop in the exploit kit activity since the disappearance of the Angler EK and Neutrino EK, then the principal exploit kits became the Sundown EK.

Crooks are continuing to use the Neptune exploit kit in malvertising campaigns, the last trend is its employment in campaigns aiming to deliver cryptocurrency miners.

The FireEye analysis highlights the numerous changes in the recent attacks delivering the cryptocurrency miners, including payloads, URI patterns, and landing pages.

Since July 16, FireEye experts have observed changes in URI patterns for Neptune Exploit Kit, the last campaign monitored was abusing a legitimate popup ad service (within Alexa’s top 100) with redirects to ads about hiking clubs.

The countries most affected by the campaign are South Korea (29%), Europe (19%), and Thailand (13%), followed by Middle East (13%) and the United States (10%).

The ads used in the Neptune exploit kit campaign analyzed by FireEye were mostly served on popular torrent and hosting websites.

The landing pages were hosting the following exploits to trigger well-known vulnerabilities:

• CVE-2016-0189 – Internet Explorer
• CVE-2015-2419 – Internet Explorer
• CVE-2014-6332 – Internet Explorer
• CVE-2015-8651 – Adobe Flash Player
• CVE-2015-7645 – Adobe Flash Player

The payload delivered in the last Neptune Exploit Kit campaign is a Monero cryptocurrency Miner.

“Despite an observable decline in exploit kit activity, users are still at risk, especially if they have outdated or unpatched software. This threat is especially dangerous considering drive-by exploit kits (such as Neptune EK) can use malvertisements to seamlessly download payloads without ever alerting of the user.” concluded FireEye.”FireEye NX detects exploit kit infection attempts before the malware payload is downloaded to the user’s machine. Additionally, malware payloads dropped by exploit kits are detected in all other FireEye products.”

FireEye also included in the analysis the IoCs.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Neptune Exploit Kit, hacking)

[adrotate banner=”13″]