|This post explains the pros and cons of using user agents when browsing the world wide web. What does it reveal and why?
Exploit kit (EK) activity has been on the decline ever since Angler
Exploit Kit was shut down in 2016. Fewer
people using Internet Explorer and a drop
in browser support for Adobe Flash – two primary targets of many
exploit kits – have also contributed to this decline. Additionally,
some popular redirect campaigns using PseudoDarkleech
and EITest Gate to Rig Exploit Kit were shut down in first half
of this year.
Despite all this, malvertising
campaigns involving exploits kits remain active. The Neptune
Exploit Kit (or Terror EK), which initially started as a Sundown EK
copycat operation, has relied heavily on malvertisements. Early use of
this exploit kit saw domains with very similar patterns dropping
cryptocurrency miners through malvertisements:
Payloads spread by Neptune Exploit Kit have since diversified.
Recently, we have seen changes in Neptune EK’s URI patterns, landing
pages, malvertisement campaigns and login account details associated
with the cryptocurrency mining payloads.
Since July 16, our Dynamic Threat Intelligence (DTI) has observed
changes in URI patterns for Neptune Exploit Kit. At the time of
writing, the new campaign abuses a legitimate popup ad service (within
Alexa’s top 100) with redirects to ads about hiking clubs, as shown in
Figure 1: Fake ad for a hiking club
leading to Neptune EK
Redirects from domains associated with these ads eventually use 302
redirects to move victims to exploit kit landing pages. Fake domains
involved in these redirects imitate real domains. For example,
highspirittreks[.]club shown in Figure 1 spoofs highspirittreks[.]com.
Other hiking fake ads use similarly spoofed legitimate site names with
.club domains. Figure 2 shows a redirect from a fake site’s pop-up.
Figure 2: Silent redirect to EK landing page
FireEye Dynamic Threat Intelligence (DTI) stats show the regions
being affected by this campaign (Figure 3).
Figure 3: Regions affected by the
malvertisement campaign, as observed from customer data
A few instances of the redirect involve flvto[.]download (mimicking
the legitimate www.flvto[.]biz) instead of hiking club fake ads.
Figure 4 and Figure 5 show the legitimate domain and fake domain,
respectively, for comparison’s sake.
Figure 4: Real page, flvto[.]biz (Alexa
Figure 5: Fake page, flvto[.]download
Most of the ads linked to this campaign have been observed on
high-traffic torrent and multimedia hosting sites.
Sites are hosted on IP 18.104.22.168. Reverse lookup for this
Other hosted IPs and domains of the same campaign are in the
Indicators of Compromise section at the end of the post. All IPs point
to locations in Amsterdam.
Since July 16, related EK infrastructure has been hosted on domains
protected by Whois Guard. However, in recent activity, domains are
linked to the Registrant email: ‘gabendollar399@gmx[.]com’.
The following domains are currently associated with this email:
1 HOST RUSSIA, INC
1 HOST RUSSIA, INC
1 HOST RUSSIA, INC
The landing page for the Neptune Exploit Kit redirects to further
HTML and Adobe Flash exploit links after it checks the Flash versions
installed on the victim’s machine (see Figure 6).
Figure 6: Landing page of Neptune EK
This EK exploits multiple vulnerabilities in one run. Most of these
exploits are well-known and commonly seen in other exploit kits.
Currently, Neptune EK uses three Internet Explorer exploits and two
Adobe Flash Player
Adobe Flash Player
Payload (Monero miner)
The payload is dropped as a plain executable from one of the URI’s
belonging to the EK domain (same as the landing page). Figure 7 shows
a typical response header for these cases.
Figure 7: Response header for Monero
Post infection traffic shows an attempt to connect to
minergate[.]com (Figure 8) and a login attempt using the cpu-miner
service via the login email monsterkill20@mail[.]com (Figure 9). Login
attempts are invoked via the command line:
Figure 8: DNS query to minergate[.]com
Figure 9: Login attempt
Despite an observable decline in exploit kit activity, users are
still at risk, especially if they have outdated or unpatched software.
This threat is especially dangerous considering drive-by exploit kits
(such as Neptune EK) can use malvertisements to seamlessly download
payloads without ever alerting of the user.
FireEye NX detects
exploit kit infection attempts before the malware payload is
downloaded to the user’s machine. Additionally, malware payloads
dropped by exploit kits are detected in all other FireEye products.
Indicators of Compromise
EK domains (current active) registrant:
Domain Name: MANAGETHEWORLD.US
Domain ID: D59392852-US
Sponsoring Registrar: NAMECHEAP, INC.
Sponsoring Registrar IANA ID: 1068
Registrar URL (registration services):
Registrant ID: NLGUS4BVD3M2DN2Y
Registrant Name: kreb son
Registrant Address1: Maker 541
Registrant City: Navada
Registrant State/Province: SA
Registrant Postal Code: 546451
Registrant Country Code: BG
Registrant Phone Number: +44.45623417852
Registrant Application Purpose:
Registrant Nexus Category: C11
Administrative Contact ID: VNM50NNJ5Y0VNLDY
Administrative Contact Name: kreb son
Administrative Contact Address1: Maker 541
Administrative Contact City: Navada
Administrative Contact State/Province: SA
Administrative Contact Postal Code: 546451
Administrative Contact Country: Bulgaria
Administrative Contact Country Code: BG
Administrative Contact Phone Number: +44.45623417852
Administrative Contact Email: gabendollar399@gmx[.]com
Sample EK URI Pattern:
We would like to thanks Hassan Faizan for his contributions to this discovery.
How healthcare organizations can overcome common cybersecurity roadblocksCategory:Leadership InsightsRisk ManagementSecureWorks sat down with Chief Financial Officer of Clearwater Compliance to talk about the cybersecurity challenges healthcare organi…
Are you using Foxit PDF Reader? If yes, then you need to watch your back.
Security researchers have discovered two critical zero-day security vulnerabilities in Foxit Reader software that could allow attackers to execute arbitrary code on a targeted c…
After hacking social media accounts of HBO and its widely watched show Game of Thrones, a notorious group of hackers calling itself OurMine took control over the official Twitter and Facebook accounts for Sony’s PlayStation Network (PSN) on Sunday.
|A compilation of security news and blog posts from the 14th of August to the 20th of August. We looked at back to school cybersecurity tips, Kronos malware, and the return of Locky ransomware.
More Ethereum Stolen!
An unknown hacker has so far stolen more than $471,000 worth of Ethereum—one of the most popular and increasingly valuable cryptocurrencies—in yet another Ethereum hack that hit the popular cryptocurrency investment platform, Enigma.
According to an announcement made on their official website an hour ago, an “unknown entity” has managed to hack their website, slack account
Biohacking could be a next big thing in this smart world.
At the beginning of this month, several dozen employees of Three Square Market (32M) received microchip implants in their hands during a “chip party,” allowing them to log into their office com…
The new documents leaked by former NSA contractor Edward Snowden has exposed a United States secretive facility located near a remote town in Australia’s Northern Territory for covertly monitoring wireless communications and aiding US military missions…
If your smartphones, tablets, smart refrigerators, smart TVs and other smart devices are smart enough to make your life easier, their smart behavior could also be leveraged by hackers to steal data, invade your privacy or spy on you, if not secured pro…