Malvertising Campaign Spewing Neutrino Exploit Kit Thwarted

Security researchers have helped put an end to a global malvertising campaign that put millions of users at the risk of infection by the CrypMIC ransomware delivered via the Neutrino Exploit Kit.

The malvertising campaign was discovered by researchers at Cisco’s Talos Security Intelligence and Research Group, who determined its presence in North America, Europe, Asia Pacific and the Middle East.

Cisco researcher Nick Biasini stated:

The biggest thing is the truly global reach of this campaign itself and hitting a lot of different regions around the world and using many different languages.

The campaign that caught the attention of Talos researchers, specifically, began in August 2016, lasting two weeks.

The perpetrators of the malvertising campaign had multiple domains registered on domain registrar service GoDaddy, Biasini revealed. Cisco’s Talos collaborated with GoDaddy in a joint operation to shut down domains that redirected traffic to a single Russian server hosting the Neutrino Exploit Kit located in Russia.

It’s entirely likely that the criminals spreading the malvertising campaign used stolen credentials to tap legitimate GoDaddy domain accounts, the researcher speculated.

From here, the criminals created several dozen subdomains of legitimate websites before using those domains as fronts to buy advertisements on the OpenX advertising platform. From here, the criminals stole content-specific ads on relevant niche websites before displaying them as their own on the OpenX network.

The crafty operation saw visitors of a legitimate website fall pretty to malicious ads redirecting to the rogue subdomains, or “gates” as Cisco Talos referred to them.

In a blog, Biasini wrote:

Gates are an initial redirection point for exploit kits. This is simply an intermediary between the initial redirection (i.e. compromised website/malicious ad) and the actual exploit kit server that does the probing, compromise, and payload delivery. This allows the adversary to quickly change the actual malicious server without having to change the initial redirection.

While the Neutrino Exploit Kit was discovered as the primary exploit kit, the course of the investigation further revealed that Darkleech, Pseudo Darkleech and EITest were all being used as well.

Ultimately, Biasini underlined the reason why malicious ads are gaining adoption among cybercriminals – they produce lots of web traffic.

A comprehensive report of the investigation and its subsequent takedown can be found here.

Image credit: Flickr.