Recent High Spike in Neutrino Exploit Kit Traffic linked to the exploitation of sites running WordPress. Attack orchestrated by a group which has discarded Angler Exploit Kit and turned to using Neutrino to install CyberWall 3.0 ransomware, Zscaler reports.
Neutrino Exploit Kit is a malicious code found in unlawful websites or illegally injected on legitimate but hacked websites without the administrator’s knowledge. This code looks to exploit weaknesses in the applications on the system of a user and then install malicious software on the host machine, compromising the data. The past week has seen a steep hike was noted in the Neutrino Exploit Kit traffic, and the door to this hike was found as compromised WordPress websites.
The primary platform that Neutrino Exploit Kit has been using is WordPress. There have been concerns in the past over the software’s vulnerabilities and weak points in its extensions and plug-ins for CMS. There have even been incidents where the core engine of WordPress has been attacked, calling for the need to strengthen a service that is used by many users all over the world.
According to a Zscaler report submitted on August 20, it was reported that websites that run version 4.2 or older of WordPress are used to redirect users’ browsers to a page using iframes where the exploit kit is hosted and a Flash exploit lies waiting. Most exploits targeted Internet Explorer, with the victim’s system infected with CryptoWall 3.0 ransomware.
The SANS institute had earlier released a report about a group that had disconnected from using the Angler Exploit Kit and switched to Neutrino, and with the recent hikes in Neutrino Exploit Kit traffic, their report looks quite correct. SANS and Zscaler both reported that the landing page’s IP address is 126.96.36.199, which is registered to a person named Max Vlapet in Moscow.
Zscaler’s report said that over 2600 websites running WordPress were involved in the Neutrino spike, which serve around 4000 infected pages. The report went on to say that the purpose of this group of miscreants is to compromise the entire website by injecting an iframe that redirects one to a Neutrino landing page. The injection of the iframe is done right after the BODY tag, which is almost the same as that with Angler samples. Detection of this malicious activity is very poor, aggravating the damage that could be caused.
The end result of the victim’s browser being redirected to the Neutrino landing page via iframes is the installation of CytoWall 3.0, which is a ransomware. It is similar to other ransomware families in that the software encrypts the files that are stored on a victim’s system and then demands a ransom from the victim to release the password for the encryption key. CryptoWall 3.0 uses different channels to send the traffic it steals to networks like Tor anonymity networks and I2P.
Although Angler remains the most dangerous Exploit Kit that causes mishaps quite frequently, Neutrino’s recent traffic spike has seen the exploit kit rise a few places in the table. It has made a name for itself as a big threat.