In the cybercrime landscape, Exploit Kits (EKs) are the tools of choice to infect endpoints by exploiting software vulnerabilities. However, a critical component EKs rely on is web traffic, which must be directed towards them.
There are two primary sources of traffic to an exploit kit:
- malvertising: malicious ad banners displayed on legitimate websites
- compromised websites: malicious code injected into sites (iframes, 302 redirects, etc)
In this post, we take a look at the latter by examining what we sometimes refer to as ‘gates’. Hacked websites are injected with code to an intermediary webpage that serves as the gateway to the exploit kit. We should also mention that in some cases, compromised websites contain the redirection to the EK directly in their source code, without the use of an additional gate (ie. Pseudo Darkleech).
One of the most popular exploit kits at the moment, Neutrino EK, has several different gates:
Compromised websites are injected with two different code snippets:
A fake jQuery.js file:
We noted that if you browsed to the fake jquery file directly, you would be served a different (benign) copy:
The variable is in fact a key which is necessary for the JS file to get decoded, and while it could have been defined within the JS script, it was stored on the compromised site instead. This may be to make it harder for researchers that analyze the standalone JS, without the key parameter.
Some last noteworthy points about the jQueryGate is the fact that there is heavy IP filtering in place (one shot per residential IP) to prevent replays of the drive-by download attack. Additionally, the domains involved appear to be using newer TLDs (i.e. .tech, .press).
Indicators of Compromise:
Source code: pastebin.com/raw/8zqXBxhB