Neutrino EK: more Flash trickery

Neutrino EK: more Flash trickery

A while back we wrote about the Neutrino exploit kit performing fingerprinting checks to weed out security researchers and honeypots attempting to catch its payload. Interestingly, it did this from within the same Flash exploit it uses to compromise the system. The EK developers really have a special relationship with the Flash player, having counted on it for a long time as their primary weapon up until integrating an Internet Explorer zero-day.

Continuing with that trend, we recently observed a new redirection pattern from compromised websites, and, you may have guessed, it uses a Flash file.

Fiddler

It is not the EITest campaign though, which does have an intermediary redirection mechanism with Flash. Instead, the rogue SWF file is hosted on the hacked website, and for all intents and purposes looks innocuous as it hides in plain sight within other media types.

redir

Additionally, this Flash file performs the same fingerprinting that we saw before within the Neutrino exploit kit itself. In other words, they have duplicated this check and placed it up the infection chain to filter out fake traffic before it even reaches the gate to the EK.

fingerprinting_checks

If the various conditions are met (no Virtual Machine, no AV installed, etc), another piece of code within that SWF file takes care of performing the redirection to an external URL, a gate to Neutrino EK’s landing. The troubled ExternalInterface.call() fires __flash__toXML, which instructs the Flash file to write a malicious iframe into the browser:

flash_to_XML

This gate launches Neutrino EK which still performs the same fingerprinting (not all paths to Neutrino include this pre-check, so it makes sense to keep it at the EK level as well).

As we can see, Neutrino EK and some of its gates continue to rely on the Flash Player as they incorporate more useful features to keep infections stealthy and less discoverable. There is one clear advantage to using Flash’s ActionScript code rather than plain, or even obfuscated JavaScript, in that reversing Flash files is more time consuming and tedious.

Related reading:

IOCs:
SWF hashes:

some_althoughopen[.]top.swf 3d496bb988996274397d9466d7019d40d6926574600843f26b7d35343cf00b83 some_outjennifer[.]top.swf 503e6b9eaf4e808df4c02c2978d66673a1cc59388d10681c11daeb95bd44c567

some_userkevin[.]top.swf fc4a5db9e4fe90d34586b0db2e81a41bf794e1597f756107896ee043bf391d9e

dumped SWF used in this article 0496c126e13208967070e4284af98b7ea91dd343d56d29a955a36eb24f6d9320

Gates:

althoughopen[.]top/ignoramus.php althoughopen[.]top/outwear.php althoughopen[.]top/vassals.php outjennifer[.]top/allottee.php outjennifer[.]top/banco.php outjennifer[.]top/calling.php outjennifer[.]top/educated.php outjennifer[.]top/eliminatory.php outjennifer[.]top/logos.php outjennifer[.]top/meted.php outjennifer[.]top/photoinduced.php outjennifer[.]top/plausibly.php outjennifer[.]top/plumier.php outjennifer[.]top/psychotropic.php outjennifer[.]top/reechoing.php outjennifer[.]top/shove.php outjennifer[.]top/sixpence.php outjennifer[.]top/subornation.php outjennifer[.]top/telepathies.php outjennifer[.]top/tilted.php outjennifer[.]top/timbres.php outjennifer[.]top/transit.php outjennifer[.]top/ukeleles.php outjennifer[.]top/vehemently.php outjennifer[.]top/venomers.php outjennifer[.]top/westerner.php userkevin[.]top/ceiling.php userkevin[.]top/egresses.php userkevin[.]top/embalming.php userkevin[.]top/emerging.php userkevin[.]top/mahatmas.php userkevin[.]top/malcontents.php userkevin[.]top/precooling.php userkevin[.]top/rompers.php

ABOUT THE AUTHOR

Jérôme Segura

Sr Director, Research