Despite a marked decrease in activity, exploit kits haven’t completely disappeared just yet. The Neptune, or Terror Exploit Kit, is alive and well; during the last month, researchers have observed the kit as part of a campaign to abuse a legitimate popup ad service to drop cryptocurrency miners.
Researchers with FireEye said Tuesday the kit has been redirecting victims with popups from fake hiking ads to exploit kit landing pages and in turn to HTML and Adobe Flash exploits. Researchers elected not to disclose the name of the popup ad service, but stressed that it’s within Alexa’s top 100.
The landing pages run a handful of exploits, including three targeting Internet Explorer (CVE-2016-0189, CVE-2015-2419, CVE-2014-6332) and two targeting Flash (CVE-2015-8651, CVE-2015-7645).
According to FireEye researchers Zain Gardezi and Manish Sardiwal, the malvertising redirects are mimicking the domains of actual hiking sites, and in some instances sites that allow users to convert YouTube videos to MP3s. Once redirected, the ads, most which appear on high-traffic torrent and multimedia hosting sites, drop a Monero miner.
Monero, an open source cryptocurrency that bills itself as “secure, private, and untraceable” has caught on with cybercriminals over the last several months.
One cryptocurrency miner Adylkuzz was spotted in April using the same NSA Eternal Blue exploit and DoublePulsar rootkit that spread WannaCry, to infect computers and mine Monero.
According to FireEye, for the new Neptune EK campaign a uniform resource identifier (URI) belonging to the exploit kit domain has been dropping the payload as a plain executable. After a machine has been infected, attempts are made to log in to minergate[.]com, a cryptocurrency GUI miner and mining pool, with the attacker’s email address.
Researchers noticed this campaign on July 16 and were able to pin it on changes in the kit’s URI patterns.
Spreading resource intensive cryptocurrency miners helps attackers raise small amounts of money that can potentially be used to fund other future attacks.
Attackers in June used an exploit for a Samba vulnerability patched in May to spread payloads that spread Monero miners. Researchers with Kaspersky Lab who discovered the operation said that attackers hardcoded their wallet and pool address into the attack and managed to raise $6,000 USD via the campaign.
The vulnerabilities that Neptune uses are dated; in fact Microsoft fixed one of them in November 2014, CVE-2014-6332, which could have allowed remote code execution via Windows OLE vulnerabilities. Gardezi and Sardiwal warn that users running out-of-date or unpatched software could still be at risk, especially as drive-by download kits such as Neptune have taken a shine to using malvertisements to push malicious downloads of late.
Similar to Sundown, the Neptune/Terror exploit kit is one of several that popped up following Angler’s disappearance in 2016. Researchers said in May earlier this year that the kit had adopted new anti-detection features and slowly evolved into a threat.