Neutrino
Start Date: 2013-06-18
Most Recent Activity: 2020-01-31
Executive Summary
The Neutrino exploit kit is a malicious tool kit, which can be used by attackers who are not experts on computer security. Threat actors can have zero coding experience and still use exploit kits like Neutrino to conduct their illegal activity.
Videos
Wireshark Analysis
Packet Dissection
Victim
- IP: 192.168.122.178
- MAC: 52:54:00:f6:e6:96
- OS / User-Agent: Mozilla/4.0 Windows NT 6.1
Network Indicators
| IP | Domain | Port | Context |
|---|---|---|---|
| www.insightcrime[.]org | 80 | Malicious JS | |
| 93.171.172[.]220 | 80 | Neutrino Gate | |
| 1208b83b81c141ecd6f05e24.webhop[.]org | 8000 | Neutrino EK |
Investigation Steps
Victim system identified as Windows NT 6.1
Filtered http.request → identified GET requests to compromised site and EK domain
http.requestLanding page HTML contained obfuscated JS with XOR function and plugin fingerprinting
Found XOR key in the $(document).ready() call as variable qq
var qq = 'oirewfai';Filtered for POST request to find plugin fingerprint sent to Neutrino gate
http.request.method == "POST"Followed HTTP stream → grabbed server response body (URL-encoded + XOR'd)
CyberChef: URL Decode → XOR (key: oirewfai, UTF8) → decrypted to Java applet tag
Applet downloaded Java archive (.jar) → then fetched octet-stream (final payload)
CyberChef: XOR (key: nylhvw, UTF8) on octet-stream → dropped malware PE
File type detection confirms Windows PE executable
Overview
Description
Type: Exploit Kit
Delivery:
Compromised websites or malvertising campaigns through iframe injection, Macros, Flash, Java, Silverlight.
Capabilities:
Automated exploitation of browser vulnerabilities, payload delivery (commonly ransomware or banking trojans), fingerprinting of victim systems, and integration with affiliate-based crimeware ecosystems.
Notable Characteristics:
Uses obfuscated JavaScript and encrypted payload delivery chains. Relies heavily on redirection chains and exploit landing pages. Frequently updated exploit modules to target newly disclosed CVEs. Designed for ease of use, allowing low-skill actors to deploy sophisticated attacks.
Attack Flow
Flow
User Visit → Compromised Site → Hidden iFrame → TDS Redirect → Exploit Kit Landing Page → Browser Exploit → Payload Download → Malware Execution
- User visits a legitimate but compromised website or malvertising link
- A hidden iframe or injected script redirects the browser to a Traffic Distribution System (TDS)
- TDS filters the victim based on location, browser version, and exploitability
- Victim is redirected to a Neutrino exploit kit landing page
- The landing page fingerprints the system and selects a suitable exploit
- Browser or plugin vulnerability (e.g., Flash, Java) is exploited
- Malicious payload is silently downloaded without user interaction
- Payload executes, often installing ransomware or credential-stealing malware
Data Sources
Telemetry Sources
- Web Logs
Telemetry: HTTP requests, referrer headers, user-agent strings
Detection Value: Identify compromised websites, iframe injections, and exploit kit landing page requests - Proxy Logs
Telemetry: URL redirection chains, HTTP response codes, domain reputation
Detection Value: Detect Traffic Distribution System (TDS) behavior and multi-stage redirection patterns - DNS Logs
Telemetry: Domain queries, newly registered domains, NXDOMAIN responses
Detection Value: Identify exploit kit infrastructure, fast-flux domains, and suspicious domain churn - Sysmon
Telemetry: Event ID 1 (Process Creation), Event ID 3 (Network Connections)
Detection Value: Detect browser processes spawning abnormal child processes or initiating suspicious outbound connections - Endpoint (EDR)
Telemetry: Process trees, memory injection indicators, file writes
Detection Value: Identify exploit-triggered payload execution and post-exploitation activity - Network IDS (Suricata/Zeek)
Telemetry: HTTP signatures, exploit patterns, anomalous traffic
Detection Value: Detect exploit kit traffic patterns and payload delivery signatures
MITRE ATT&CK Techniques
MITRE ATT&CK
- T1189 – Drive-by Compromise
- T1204.002 – User Execution - Malicious File
- T1059.001 – Command and Scripting Interpreter - PowerShell
- T1105 – Ingress Tool Transfer
- T1203 – Exploitation for Client Execution
- T1071.001 – Application Layer Protocol - Web Protocols
- T1566 – Phishing
- T1497 – Virtualization/Sandbox Evasion
Mitigations
Mitigations
- Patch Management: Regularly update browsers, plugins (Flash, Java, Silverlight), and operating systems to eliminate known vulnerabilities exploited by Neutrino
- Disable or Remove Plugins: Remove deprecated or high-risk plugins such as Flash and Java, which are common exploit targets for exploit kits
- Web Filtering / Secure Web Gateway: Block access to known malicious domains, newly registered domains, and categories associated with malvertising or exploit kit infrastructure
- Ad Blocking / Script Blocking: Use browser extensions or enterprise controls to block malicious ads, scripts, and iframe injections that deliver exploit kits
- Network IDS/IPS: Deploy systems like Suricata or Zeek to detect exploit kit traffic patterns, signatures, and abnormal HTTP behavior
- Endpoint Detection and Response (EDR): Monitor for abnormal process spawning (e.g., browser → PowerShell) and exploit-triggered execution behaviors
- Application Isolation / Sandboxing: Use browser isolation technologies or sandboxing to prevent exploitation from impacting the host system
- Least Privilege: Ensure users do not operate with administrative privileges to limit the impact of successful exploitation
- Email and Web Security Awareness: Train users to avoid suspicious links and attachments that may lead to exploit kit landing pages