Neutrino, RIG EKs Kick Off 2016 with Shiny New Attacks, Payloads

The holidays are over and the world has gone back to work—and so have the cyber-criminals. Two exploit kit campaigns have been spotted in the wild sporting new tactics and significant improvements.

Heimdal Security has noted a substantial increase in exploit kit activity for Neutrino, RIG and Angler. Notably, Neutrino’s latest mutations include serving Kovter and Cryptolocker2, while the RIG exploit kit is now poisoning Google search results with malicious links.

In the Neutrino campaign, there has been a “very recent change in the servers” that it abuses, according to Andra Zaharia, security specialist at Heimdal.

“The campaign was just launched this morning and it has injected malicious script code into legitimate websites,” Zaharia said, in a blog. “When visiting these websites, the victim is moved to a selection of dedicated domains which connect to a series of new servers controlled by the attackers. These new servers are also the source of the malicious payload.”

This new campaign also comes with added surreptitious tricks: Google Blackhat SEO poisoning and an immediate focus on using Flash Player vulnerabilities as a distribution vector.

This version of Neutrino exploit kit also has an improved payload delivery process. It now includes a series of tests that can figure out if the browser and the Flash Player plugin are up to date; these tests can also detect if a debugger is present in memory. And unfortunately, the campaign has an infection success rate of 56% on Windows 7 PCs with Internet Explorer 9.

Meanwhile, the RIG campaign is featuring a fresh version of the EK, RIG’s third version. Heimdal found it to be systematically abusing known vulnerabilities in popular third-party applications like Adobe Flash, Adobe Reader, Adobe Acrobat and Silverlight to plant malware on outdated Microsoft Windows PCs.

This RIG-serving campaign spreads through drive-by attacks by using Google Blackhat SEO poisoning; the delivered payloads vary between an infostealer from the Pony family and the TofSee Trojan.

The campaign is also savvy, using watering hole search terms like “Christmas tree removal” to attract victims.

“This means that, when doing a simple Google search on how to easily remove the Christmas tree, a user can get results that point to the swarm of compromised websites where malicious script code is injected,” Zaharia noted.

Both campaigns have very low detection rates (0/51 and 2/55—VirusTotal links included) and users are urged to keep their software up to date at all times and to use a multi-layered security system to protect their PCs. According to US-CERT, as many as 85% of all targeted attacks can be prevented by simply applying the latest security patches.

Photo © Cranach

What’s Hot on Infosecurity Magazine?