Exploit kit (EK) activity has been on the decline ever since Angler
Exploit Kit was shut down in 2016. Fewer
people using Internet Explorer and a drop
in browser support for Adobe Flash – two primary targets of many
exploit kits – have also contributed to this decline. Additionally,
some popular redirect campaigns using PseudoDarkleech
and EITest Gate to Rig Exploit Kit were shut down in first half
of this year.
Despite all this, malvertising
campaigns involving exploits kits remain active. The Neptune
Exploit Kit (or Terror EK), which initially started as a Sundown EK
copycat operation, has relied heavily on malvertisements. Early use of
this exploit kit saw domains with very similar patterns dropping
cryptocurrency miners through malvertisements:
Payloads spread by Neptune Exploit Kit have since diversified.
Recently, we have seen changes in Neptune EK’s URI patterns, landing
pages, malvertisement campaigns and login account details associated
with the cryptocurrency mining payloads.
Since July 16, our Dynamic Threat Intelligence (DTI) has observed
changes in URI patterns for Neptune Exploit Kit. At the time of
writing, the new campaign abuses a legitimate popup ad service (within
Alexa’s top 100) with redirects to ads about hiking clubs, as shown in
Figure 1: Fake ad for a hiking club
leading to Neptune EK
Redirects from domains associated with these ads eventually use 302
redirects to move victims to exploit kit landing pages. Fake domains
involved in these redirects imitate real domains. For example,
highspirittreks[.]club shown in Figure 1 spoofs highspirittreks[.]com.
Other hiking fake ads use similarly spoofed legitimate site names with
.club domains. Figure 2 shows a redirect from a fake site’s pop-up.
Figure 2: Silent redirect to EK landing page
FireEye Dynamic Threat Intelligence (DTI) stats show the regions
being affected by this campaign (Figure 3).
Figure 3: Regions affected by the
malvertisement campaign, as observed from customer data
A few instances of the redirect involve flvto[.]download (mimicking
the legitimate www.flvto[.]biz) instead of hiking club fake ads.
Figure 4 and Figure 5 show the legitimate domain and fake domain,
respectively, for comparison’s sake.
Figure 4: Real page, flvto[.]biz (Alexa
Figure 5: Fake page, flvto[.]download
Most of the ads linked to this campaign have been observed on
high-traffic torrent and multimedia hosting sites.
Sites are hosted on IP 220.127.116.11. Reverse lookup for this
Other hosted IPs and domains of the same campaign are in the
Indicators of Compromise section at the end of the post. All IPs point
to locations in Amsterdam.
Since July 16, related EK infrastructure has been hosted on domains
protected by Whois Guard. However, in recent activity, domains are
linked to the Registrant email: ‘gabendollar399@gmx[.]com’.
The following domains are currently associated with this email:
The landing page for the Neptune Exploit Kit redirects to further
HTML and Adobe Flash exploit links after it checks the Flash versions
installed on the victim’s machine (see Figure 6).
Figure 6: Landing page of Neptune EK
This EK exploits multiple vulnerabilities in one run. Most of these
exploits are well-known and commonly seen in other exploit kits.
Currently, Neptune EK uses three Internet Explorer exploits and two
Payload (Monero miner)
The payload is dropped as a plain executable from one of the URI’s
belonging to the EK domain (same as the landing page). Figure 7 shows
a typical response header for these cases.
Figure 7: Response header for Monero
Post infection traffic shows an attempt to connect to
minergate[.]com (Figure 8) and a login attempt using the cpu-miner
service via the login email monsterkill20@mail[.]com (Figure 9). Login
attempts are invoked via the command line:
Figure 8: DNS query to minergate[.]com
Figure 9: Login attempt
Despite an observable decline in exploit kit activity, users are
still at risk, especially if they have outdated or unpatched software.
This threat is especially dangerous considering drive-by exploit kits
(such as Neptune EK) can use malvertisements to seamlessly download
payloads without ever alerting of the user.
FireEye NX detects
exploit kit infection attempts before the malware payload is
downloaded to the user’s machine. Additionally, malware payloads
dropped by exploit kits are detected in all other FireEye products.
Indicators of Compromise
EK domains (current active) registrant:
Domain Name: MANAGETHEWORLD.US
Domain ID: D59392852-US
Sponsoring Registrar: NAMECHEAP, INC.
Sponsoring Registrar IANA ID: 1068
Registrar URL (registration services):
Registrant ID: NLGUS4BVD3M2DN2Y
Registrant Name: kreb son
Registrant Address1: Maker 541
Registrant City: Navada
Registrant State/Province: SA
Registrant Postal Code: 546451
Registrant Country Code: BG
Registrant Phone Number: +44.45623417852
Registrant Application Purpose:
Registrant Nexus Category: C11
Administrative Contact ID: VNM50NNJ5Y0VNLDY
Administrative Contact Name: kreb son
Administrative Contact Address1: Maker 541
Administrative Contact City: Navada
Administrative Contact State/Province: SA
Administrative Contact Postal Code: 546451
Administrative Contact Country: Bulgaria
Administrative Contact Country Code: BG
Administrative Contact Phone Number: +44.45623417852
Administrative Contact Email: gabendollar399@gmx[.]com
Sample EK URI Pattern:
We would like to thanks Hassan Faizan for his contributions to this discovery.