Exploit kits are going through some strange phases these days. Two major malware distribution campaigns, namely Pseudo Darkleech and EITTest traditionally reserved for Neutrino EK were redirecting to underdog RIG EK. Several security researchers (Oddly_Normal, @malware_traffic, BroadAnalysis) pointed out this unexpected behaviour on Twitter.
Time will tell if this is a temporary blip or not. While we have seen some switches between EKs in the past, the Pseudo Darkleech and EITest campaigns which were once part of Angler’s distribution channels, have always been very coveted.
We will keep monitoring this situation and update this post accordingly.
Payload from Pseudo Darkleech:
Payload from EITest: