The Neutrino Exploit Kit (EK) is spreading via fresh WordPress compromises, delivering a miserable payload: CryptoWall 3.0.
Zscaler said in an analysis that in the beginning of July, Neutrino incorporated the HackingTeam 0-day (CVE-2015-5119), “and in the past few days we've seen a massive uptick in the use of the kit.”
WordPress sites running version 4.2 and lower are being compromised, with more than 2,600 unique WordPress sites being used and more than 4,200 distinct pages logged with dynamic iframe injection in the last month. Those sites are now serving up the ransomware to unsuspecting site visitors.
In analyzing the infection cycle, there are multiple recent changes in the Neutrino code, some that are normally characteristics of Angler Exploit Kit, but others that remain unique to Neutrino.
“The goal of this campaign is to completely and fully compromise the site, which includes adding a webshell, harvesting credentials and finally injecting an iframe that loads a Neutrino landing page,” Zscaler noted. “The iframe is injected into the compromised site immediately after the BODY tag, and is almost identical to recent Angler samples.”
The code specifically targets Internet Explorer, so those using other browsers won't be served the iframe, and a cookie is used to prevent serving the iframe multiple times to the same victim.
“WordPress, being a widely popular and free content management system (CMS), remains one of the most attractive targets for cyber criminals,” said the firm. “WordPress compromises are not new, but this campaign shows an interesting underground nexus starting with backdoored WordPress sites, a Neutrino Exploit Kit-controlled server, and the highly effective CryptoWall ransomware. This campaign also reconfirms that Neutrino Exploit Kit activity is on the rise and is still a major player in the exploit kit arena.”