<<<
Wednesday, October 23, 2013
>>>
 
Neutrino: Caught in the Act Posted by SecResponse @ 16:23 GMT

Last week, we got a tip from Kafeine about hacked sites serving injected iframes leading to an exploit kit. We thought it was quite interesting so we looked at one of the infected websites and found this sneaky piece of code:

sitecode



The deobfuscated code shows the location from where the injected iframe URL will be gathered from, as well as the use of cookie to allow the redirection. It also shows that it only targets to infect those browsing from IE, Opera and Firefox.

And now for some good old snippet from the source site and infected site:

injected



When an infected website successfully redirects, the user will end up with a Neutrino exploit kit that is serving some Java exploit:

redirections



We haven't fully analyzed the trojan payload yet, but initial checks showed that it makes HTTP posts to this IP:

mapp



Early this week, when it probably was not in full effect yet, the injected URLs were leading to google.com. However, it went in full operation starting yesterday evening when it began redirecting to Neutrino to serve Java exploits.

first_instance



Based on that timeline, we plotted the location of all the IP addresses that visited the infected sites to a map. These IPs are potential victims of this threat. There were approximately 80,000 IPs.

visitor3



We also plotted the location of the infected websites and so far, there were around 20,000+ domains affected by this threat. The infected sites appear to be using either WordPress or Joomla CMS.

hacked



You can also find other information about this threat in Kafeine's blog post.

Samples related to this post are detected as Trojan:HTML/SORedir.A, Exploit:Java/Majava.A, and Trojan:W32/Agent.DUOH.

Post by — Karmina and @Daavid












<<< What is the cost of ransomware?
|
Who Controls Free Expression in Cyberspace? >>>