Neutrino: Caught in the Act

Last week, we got a tip from Kafeine about hacked sites serving injected iframes leading to an exploit kit. We thought it was quite interesting so we looked at one of the infected websites and found this sneaky piece of code:

sitecode (114k image)

The deobfuscated code shows the location from where the injected iframe URL will be gathered from, as well as the use of cookie to allow the redirection. It also shows that it only targets to infect those browsing from IE, Opera and Firefox.

And now for some good old snippet from the source site and infected site:

injected (90k image)

When an infected website successfully redirects, the user will end up with a Neutrino exploit kit that is serving some Java exploit:

redirections (88k image)

We haven’t fully analyzed the Trojan payload yet, but initial checks showed that it makes HTTP posts to this IP:

mapp (55k image)

Early this week, when it probably was not in full effect yet, the injected URLs were leading to google.com. However, it went in full operation starting yesterday evening when it began redirecting to Neutrino to serve Java exploits.

first_instance (22k image)

Based on that timeline, we plotted the location of all the IP addresses that visited the infected sites to a map. These IPs are potential victims of this threat. There were approximately 80,000 IPs.

visitor3 (648k image)

We also plotted the location of the infected websites and so far, there were around 20,000+ domains affected by this threat. The infected sites appear to be using either WordPress or Joomla CMS.

hacked (616k image)

You can also find other information about this threat in Kafeine’s blog post

Samples related to this post are detected as Trojan:HTML/SORedir.A, Exploit:Java/Majava.A, and Trojan:W32/Agent.DUOH.

Post by — Karmina and @Daavid

On 23/10/13 At 04:23 PM

Read more: Neutrino: Caught in the Act

Story added 23. October 2013, content source with full text you can find at link above.