It seems like the exploit kit (EK) market is with one major player less as, rumors have it that the notorious Neutrino EK has closed down. There is also a chance that Neutrino has moved to private clientele but either way, it is no longer available for hiring.
Today, a message, which was found on the criminal underground forums, was published by the French security researcher Kaffeine. It is a Jabber message sent by the Neutrino operator and it reads: “we are closed. no new rents, no extends more”.
The message was published on September 9th and one week later, around the 16th, all Neutrino advertisements were taken down from the underground hacking forums.
Security firms like Malwarebytes, Heimdal Security, Malware Traffic Analysis and others have noticed a slowdown in Neutrino`s activity in the past month. The Neutrino clients didn’t abandon it right after the messaged appeared but they started switching to the RIG EK instead. According to Kaffeine, after October 1st, except two campaigns, the Neutrino EK is all but gone.
At the end of the last month, a huge number of Neutrino using malvertising campaigns were taken down thanks to the combined forces of Cisco and GoDaddy security firms. Researchers say that the Neutrino crew retreated either because they got scared of being exposed and arrested or because their clients have lost trust in them. Based on the message found by Kaffeine, the first theory is more believable.
However, Kaffeine things that there might be another possible explanation why Neutrino was shut down. He says there is a chance that the gang behind the popular EK has decided to follow the step of Magnitude and become a private EK, which is only used by one criminal crew but in huge operations.
“Are we witnessing the end of Neutrino Exploit Kit?” – Kaffeine asks – “To some degree. In fact, it looks more like Neutrino is going in full ‘Private’ mode ‘a la’ Magnitude.”
Neurino leaving doesn’t mean that RIG is considered only an acceptable substitute. In fact, Kaffeine said that RIG`s developers have added some new features to it, which have not been seen since the Angler EK shut down at the end of May.
One of the new features, Traffic Distribution System (TDS), allows crooks to host multiple malware payloads on the same EK, dividing traffic based on geographical locations, user-agents, or other criteria. This feature is only seen is the best EKs, and it, together with others, may have even contributed to Neutrino`s demise.
Neutrino is the third major EK to sink this year after the deaths of the Angler and Nuclear EKs.
According to Kaffeine, it won`t take long before this void is filled with new players. For instance, the researcher has noticed a new EK, dubbed Neutrino-v, which, now, is mainly operating in Taiwan and South Korea.
Also, Kaffeine also reported of another new private EK – Empire Pack, which appears to be one of the clones of the RIG EK, together with RIG-v, or RIG VIP, also active on the market.
Researchers say that it will take some time to understand what happened with Neutrino for sure. Did it close down for good or has gone private, only time will show.