Neutrino Exploit Kit drive by attack
The Dell SonicWALL Threats Research team analyzed a drive by attack involving the Neutrino Cyber-crime exploit kit which leads to the download of additional malware on the target system upon successful exploit run. The malware in this case is a Backdoor Trojan - Pakes.ADDS.
Below is the sample of web requests made during Neutrino Exploit kit infection cycle from the target machine:
The Neutrino Exploit Kit is following the same business model as the now obsolete Blackhole Exploit Kit. Based on the information from an underground forum the author offers to rent hosted Exploit Kit servers at $40 USD per day, $150 USD per week, and $450 USD per month.
Upon successful exploit in our test case, the Exploit Kit was serving a malicious .NET executable that gets downloaded and executed on the target machine.
The downloaded file uses the following icon:
The following image shows how the malicious payload is decrypted and executed by the .NET executable.
It attempts to connect to a remote server khalidandrozay.ru and sends stolen information from the victim machine.
It also creates a new scheduled task as Windows Update Check to run upon Windows Logon for the dropped malware executable as seen below:
- C:WindowsSystem32schtasks.exe /CREATE /SC ONLOGON /TN "Windows Update Check - " /TR "C:Program FilesCommon Filesdkfnvkunv99450495i49oisxcdlvd.exe" /RL HIGHEST
Dell SonicWALL UTM appliance provides protection against this threat with the following signature:
- GAV: Pakes.ADDS (Trojan)