loader gif

Neutrino Exploit kit: A walk-through into the exploit kit’s campaigns distributing various ransomware

Neutrino Exploit kit: A walk-through into the exploit kit’s campaigns distributing various ransomware
  • Neutrino EK distributes ransomware variants such as CryptXXX, CrypMIC, Bandarchor, and Pizzacrypts ransomware.
  • This exploit kit is also used for exploiting Flash vulnerabilities including CVE-2015-7645 and Microsoft zero-day vulnerabilities using the Google SEO poisoning technique.

Neutrino is an exploit kit which was discovered in 2012 to exploit vulnerabilities in all Java versions up to Java 7 Update 11. This exploit kit is also used for exploiting Flash vulnerabilities including CVE-2015-7645 and Microsoft zero-day vulnerabilities using the Google SEO poisoning technique.

Neutrino EK also distributes ransomware variants such as CryptXXX, CrypMIC, Bandarchor, and Pizzacrypts ransomware.

Fingerprinting techniques

Neutrino uses fingerprinting techniques to avoid unnecessary attention by checking for undesired users. Apart from this, the exploit kit has also used various techniques for checking for debuggers, operating systems and terminating malicious activity against these users.

Compromise of Mr.Chow website

In 2016, the website for Mr.Chow restaurants was hacked to redirect users to ransomware via the Neutrino exploit kit. A malicious script ‘pseudo Darkleech’ was injected directly into the website, that triggered the Neutrino exploit kit to infect vulnerable systems with ransomware.

Afraidgate campaign

Attackers behind the Afraidgate campaign distribute various ransomware via exploit kits. In September 2013, this campaign leveraged the Neutrino exploit kit to drop the Locky ransomware.

Hijacking of customer domains

In July 2017, French domain registrar Gandi lost control over 751 customer domains, which had their DNS records altered to point incoming traffic to websites hosting exploits kits such as Neutrino and RIG.

loader gif