Robust and stealthier toolkits are predicted to emerge this year. This was first seen when the WhiteHole Exploit Kit appeared in the threat landscape. It took advantage of several vulnerabilities including the infamous CVE-2013-0422.
Additionally, there have been reports of another new exploit kit called “Neutrino” being sold in the underground. The exploit, which we detect as JAVA_EXPLOYT.NEU takes advantage of the following vulnerabilities:
Systems with versions Java 7 Update 11 and below are vulnerable. When exploited successfully, it downloads a ransomware variant, or TROJ_RANSOM.NTW. Ransomware typically lock computers until users pay a certain amount of money or ransom. Our research paper Police Ransomware Update contains more information on the said threat.
The vulnerabilities covered in CVE-2013-0431 were also exploited in a BlackHole Exploit kit spam run that supposedly came from PayPal. This vulnerability was addressed when Oracle released an out-of-band update, raising issues and concerns. On the other hand, CVE-2012-1723 was also employed by the BlackHole Exploit kit as well as the WhiteHole exploit kit.
The perpetrators of the Neutrino toolkit highlight the following features:
- User friendly control panel
- Easy management of domain and IP (a countermeasure to AV software)
- Continuous monitoring of AV statuses
- Traffic filtering
- Stealing target system information by means of browser plugin detectors
- Encryption of stolen information sent back to the server
- Filters what information to send
- Appropriate exploit recommendation
- Notification of vulnerability support, exploit codes and payloads
Based on an underground forum, the people behind Neutrino also offer a rent on their servers with server maintenance services. Renting the Neutrino kit costs US$40 per day and US$450 for an entire month. According to senior threats researcher Max Goncharov, the perpetrators have been known to buy iframe traffic since 2012 in order to generate profit. They may have built the said toolkit on their own and decided to sell it in the underground.
The methods in Neutrino are quite similar to others; however, the highlighted features in Neutrino mean that attackers are indeed becoming more sophisticated and organized.