14 DAY TRIAL // The exploit kit (EK) landscape appears to have lost another major player, with unconfirmed rumors that the Neutrino exploit kit has shut down, or at least moved to a private client without being available on the "for-hire" market.
French security researcher Kaffeine published today a message exchanged in the criminal underground. The text reads "we are closed. no new rents, no extends more," and is a Jabber message sent by the Neutrino EK author to another third party.
The date of the message is September 9. Banners advertising the Neutrino exploit kit have disappeared from underground hacking forums around September 16.
Neutrino has been losing clients to RIG for the past month
Malicious traffic campaigns that redirected users to the Neutrino EK didn't stop all of a sudden after that message but slowly switched to the RIG exploit kit during the past month. Security firms like Malwarebytes, Heimdal Security, and Malware Traffic Analysis have noted a slowdown in Neutrino activity this past month.
Kaffeine says that after October 1, except for two campaigns, the Neutrino exploit kit is all but gone.
At the end of August, a joint Cisco and GoDaddy operation shut down a large number of malvertising campaigns running on the Neutrino EK.
The gang behind Neutrino either got spooked because their operation was tracked down or they lost a great deal of credibility in the underground market.
Based on the message Kaffeine discovered, it appears the first theory might be more realistic, with the Neutrino gang slowly retreating from the market, afraid they might get too exposed and then arrested.
Is Neutrino becoming another private EK?
Nevertheless, Kaffeine has another more plausible explanation, one that sees the Neutrino gang evolve into something like Magnitude, a private exploit kit used only by one criminal group, but used in massive operations.
"Are we witnessing the end of Neutrino Exploit Kit?," Kaffeine asks. "To some degree. In fact it looks more like Neutrino is going in full 'Private' mode 'a la' Magnitude."
But that doesn't mean RIG is just a random beneficiary of the left-over market share. Kaffeine details that RIG has added some features which haven't been seen since Angler, an exploit kit that shut down at the end of May.
New RIG feature might have contributed to Neutrino's demise
Called Traffic Distribution System (TDS), this feature allows crooks to host multiple malware payloads on the same exploit kit, dividing traffic based on geographical locations, user-agents, or other criteria. This is a feature seen only in top-shelf exploit kits, which RIG has slowly become.
"RIG EK has integrated a newer IE exploit and gone further to obfuscate its payload but it still remains largely behind compared to what Angler EK was offering at the time it disappeared," Jerome Segura told Softpedia regarding RIG's capabilities.
"An additional aspect [...] is that traffic distribution is a critical part of an EK," Segura also adds, regarding RIG's new TDS system. "Even with less firepower, an EK that has capabilities to manage infection campaigns will be preferred to one that doesn't."
This new RIG feature, along with others, may have contributed to Neutrino's demise, which hasn't been sudden or unexpected like the deaths of the Angler and Nuclear EKs, earlier in the year.
"I think most people tracking exploit kits have seen the predominance of RIG EK and less and less Neutrino," Segura says.
"That would be the third big loss (Nuclear Pack, Angler EK, and now Neutrino EK) this year. These three were the most sophisticated EKs and that leaves a big void right now."
New exploit kits surface online
That void is slowly being filled by new actors, according to Kaffeine. For example, the security researcher reports on a new exploit kit called Neutrino-v, that is active mostly in South Korea and Taiwan right now.
Furthermore, he also reveals the existence of a new EK called Empire Pack. This is another private EK, currently not advertised anywhere, which appears to be a clone of the RIG EK. Additionally, there's another RIG clone, called RIG-v, or RIG VIP, also active on the market.
Just like it took two months for things to settle before we knew for sure that the Angler and Nuclear exploit kits have shut down, it may take a while to know if Neutrino has turned off the lights for good or has moved to a private distribution model.
For more technical details about what appears to be the new king of the exploit kit market, check out these reports about RIG from Trustwave and Malwarebytes.
