Security researchers from FireEye published a report stating that the Neptune exploit kit have been exploited by hackers for delivering cryptocurrency miners via malvertising campaigns.
Registered in January, this year, the Neptune exploit kit (aka Terror EK, Eris, and Blaze) was initially classified as a Sundown exploit kit version due to some similarities in its code.
“The Neptune Exploit Kit (or Terror EK), which initially started as a Sundown EK copycat operation, has relied heavily on malvertisements. Early use of this exploit kit saw domains with very similar patterns dropping cryptocurrency miners through malvertisement” the analysis published by FireEye states.
After the Angler EK and the Neutrino EK disappeared, there was a significant drop in the exploit kit activity and the principal exploit kits turned into the Sundown EK.
Currently, hackers keep using the Neptune exploit kit in malvertising campaigns, and the latest trend is its employment in campaigns delivering cryptocurrency miners.
According to the FireEye experts, there are a number of changes in the latest attacks delivering the cryptocurrency miners, including payloads, landing pages, and URI patterns.
Since mid-July, the researchers from FireEye have noticed changes in URI patterns for Neptune Exploit Kit. The most recent malvertising campaign was abusing a legitimate popup ad service (within Alexa’s top 100) featuring redirects to hiking clubs ads.
The most affected countries by the malvertising campaign are South Korea (29%), Europe (19%), Thailand (13%), Middle East (13%), and the United States (10%), respectively.
After analyzing the ads used by the Neptune exploit kit, FireEye found that they were mostly served on popular torrent and hosting websites.
The landing pages were hosting the exploits to trigger these vulnerabilities:
CVE-2016-0189 – Internet Explorer
CVE-2015-2419 – Internet Explorer
CVE-2014-6332 – Internet Explorer
CVE-2015-8651 – Adobe Flash Player
CVE-2015-7645 – Adobe Flash Player
The payload which was delivered in the last Neptune Exploit Kit campaign, is a Monero cryptocurrency Miner.
“Despite an observable decline in exploit kit activity, users are still at risk, especially if they have outdated or unpatched software. This threat is especially dangerous considering drive-by exploit kits (such as Neptune EK) can use malvertisements to seamlessly download payloads without ever alerting of the user.” concluded FireEye. ”FireEye NX detects exploit kit infection attempts before the malware payload is downloaded to the user’s machine. Additionally, malware payloads dropped by exploit kits are detected in all other FireEye products.”
