Neutrino EK tries to leverage known Flash vulnerability

Mar 26, 2015 08:43 GMT  ·  By

Adult website Xtube has been compromised and malicious code is redirecting visitors to exploit kit landing page, infecting systems with browsers running an unpatched version of the Flash plug-in.

The website is far from being obscure, as it ranks 780 in the US according to Alexa, and falls on spot 1,158 in the global ranking of popular online locations.

As of Thursday, the adult location enjoyed daily visits from almost 140,000 unique IP addresses and recorded a total of 556,000 page view each day, according to one source.

Multiple redirect domains used

Unlike other malware campaign, in this case cybercriminals did not rely on malvertising for the redirection but instead managed to inject a piece of code straight into the website, antivirus vendor Malwarebytes says.

To hide the domains hosting the exploit kit (EK), which has been identified to be Neutrino, the attackers use dynamic rotation, which relies on several domains performing the redirect to the landing pages storing the browser-based attack tool.

Security researchers noticed multiple redirectors, all pointing to Neutrino. If an outdated version of Adobe Flash Player (16.0.0.287 or lower) is detected in the web browser (Firefox and IE on Windows earlier than 8.x), the EK will leverage a known vulnerability and infect the system with a threat detected as Trojan.MSIL.ED by Malwarebytes products.

Popular antivirus engines include detection for the payload

It is unclear if a particular Flash exploit is used or any of those added to Neutrino (CVE-2015-0311, CVE-2014-0569 and CVE-2014-0515).

At the moment, most of the popular antivirus products offer detection, Virus Total on Wednesday showing that 12 out of 57 engines were able to identify it as a threat.

Malwarebytes says that the administrators of Xtube have been notified of this problem but offered no additional details.

Neutrino deploys Flash exploit
Neutrino deploys Flash exploit

Photo Gallery (2 Images)

Domain redirecting to Neutrino EK landing page
Neutrino deploys Flash exploit
Open gallery