It is increasingly common for cybercriminals to sell their products as commercial packages comprising:
- a builder – an application that packs the payload and embeds customized information within it for the particular distributor (e.g. some configuration, the C&C address, etc.)
- a malicious payload – a frontend of the malware used for infecting users
- a C&C panel – a backend of the malware, usually a web-application, frequently dedicated to the LAMP environment
Such packages are sold on the black market as commercial products and allow purchasers without any coding experience to run large-scale virus campaigns, typically aimed at infecting huge numbers of PCs with malware, turning them into “zombie” notes in a botnet.
The Neutrino exploit kit is one such package that security researchers have noticed seems to have recently gone dormant. Security firm F-Secure noted on Twitter earlier this month that they haven’t seen any Neutrino-related activity for almost three months. The French malware researcher Kafeine also tweeted that “Neutrino waves are now dead flat” – since April 10.
From July-September 2016, Neutrino dominated the world’s exploit kit markets, and targeted legitimate websites with malicious code then launched drive-by attacks against website visitors, probing their systems for weaknesses. At its height, it was selling its rental price at $7,000 per month. Then in September 2016, Neutrino suddenly announced it would continue to operate only in “private mode” for an exclusive group of clients. However, even in January 2017, Neutrino was still testing two new exploits for the Microsoft Edge browser. By April though, Neutrino – the exploit kit (not the bot) seems to have disappeared entirely.
It appears that part of its decline was because Neutrino’s developer lost market share to rivals, according to US malware researcher BleepingComputer. There is certainly no dearth of competitor exploit kits. Some researchers say Neutrino has already been supplanted by RIG, formerly its chief rival, now the dominant exploit kit on the black market.
Recently an old version of the Neutrino botnet builder (or exploit kit) was leaked, and cybersecurity firm, Malware Bytes took the opportunity to analyze the exploit kit and release their findings. The detailed analysis from @hasherezade, is available on Malware Bytes.
Malware Bytes also recently reported on activity it picked up from the Disdain exploit kit [ADD LINK]. Apparently, the Disdain exploit kit is being distributed again after a short pause via malvertising chains, and actually uses Neutrino Bot as a payload now that the Neutrino exploit kit is defunct.
Disdain EK relies on older vulnerabilities that have already been patched and some that don’t seem to be working properly. This means that the conversion rates from a traffic to infection standpoint will be lower than RIG. According to Malware Bytes, this is why Disdain is being used as a drive-by download alongside to a social engineering attack – to increase the possibility of infections.
The most successful malware attacks, according to Malware Bytes security researcher Jerome Segura are those in which threat actors attempt new tricks from a distribution and evasion standpoint. The campaigns that can draw a large amount of traffic and use smart techniques to fool users are those that have the biggest success.
Systems that have been regularly patched and updated shouldn’t be affected by the Disdain exploit kit or the Neutrino bot malware.