Exploit Kit with Currency Mining Capability

Tuesday, August 22, 2017 @ 04:08 PM gHale

Neptune exploit kit is now employing cryptocurrency miners going out from malvertising campaigns, researchers said.

Neptune also falls under several aliases like Terror, Blaze and Eris, said researchers at FireEye.

Hijacked Domains Led Users to Exploit Kit
Mac Malware-as-a-Service Products Found
Exploit Kit Details Discovered
Exploit Kit Learns Fingerprinting

Neptune continues to gain in popularity and it continues to be used in malvertising campaigns.

There have been quite a few changes spotted in Neptune attacks, including URI patterns, landing pages, malvertising campaigns and payloads, FireEye threat researchers Zain Gardezi and Manish Sardiwal said in a blog post.

FireEye first found the new URI patterns in mid-July. Along those lines, attackers have been taking over legitimate pop-up ad service (present in Alexa’s Top 100) to deliver malware via fake advertisements for hiking clubs.

The malicious websites imitate real domains, often using the same domain name with a .club suffix instead of .com. One of the domains used to redirect users to the exploit kit landing pages also mimics a YouTube to MP3 online converter.

The ads linked to this Neptune exploit kit campaign have been typically served on popular torrent and hosting websites.

Once victims go to the landing page, the EK exploits three Internet Explorer and two Adobe Flash Player vulnerabilities to deliver malware.

The payload delivered in the campaign is a piece of malware that mines for Monero (XMR), a cryptocurrency currently worth $86 per unit.

The regions most affected by the campaign are South Korea (29 percent), Europe (19 percent), Thailand (13 percent), Middle East (13 percent) and the United States (10 percent).

“Despite an observable decline in exploit kit activity, users are still at risk, especially if they have outdated or unpatched software,” FireEye researchers said. “This threat is especially dangerous considering drive-by exploit kits (such as Neptune EK) can use malvertisements to seamlessly download payloads without ever alerting the user.”

Leave a Reply

You must be logged in to post a comment.