Tuesday, June 14, 2016

Neutrino EK and the abuse of .TOP domains ramping up

A few days ago there were several news that some threat actors were switching from Angler EK to Neutrino EK. The blog "Malware don't need Coffee" made public some analysis about the dropping of Angler. Moreover, Brad Duncan, from malware-traffic-analysis.net wrote on SANS ISC about this same topic.


I've monitoring closely and I've detected that the number of Neutrino malicious flash files have increased drastically.

The common pattern is that the shellcode inside the flash, acting as a dropper, is using URL in ."top" domains recently created.  









This is not new at all as exploit kits have been abusing free registration domains. Some months ago I wrote about how to 
hunt EK abusing DGA algorithm with Splunk. 

From the flash files I checked, the list of IOC (Subdomain + Domain ) I got the following list:

ftkuo.t2afeel.top
nsafjq.ucohand.top
daikbafklp.orastudy.top
iongqma.umidday0.top
mbhfzh.t1arealize.top
xzjetzk.c5aneed.top
hbxhetum.s2chinchilla.top
ceikjq.d4arachnid.top
ufzgyua.y0antelope.top
ztdctbmgh.e4aconsider.top
eaamuodb.k1chicken.top
gruadqyqo.k1chicken.top
jpaxlpsexm.akeducationug.top
rshhrnmcp.r9shark.top
ewbppd.orastudy.top
epkzi.j5ahandle.top
yjotvlkfo.shouldblue.top
nhxzmkcdfj.separateblue.top
kmsmu.shareblack.top
azqwhappyh.growpink.top
qsdeawdet.r4amove.top



Those domains are registered under these emails: 

 ivkolyvan@gmail.com, zizsdcqe@6paq.com, alvertafajer@yahoo.com


Looking at other "top" domains registered with those account, since 1st of June, I got an interesting list of domains I have made public: http://pastebin.com/NXHAdnYt


So it is time to hunt on your DNS queries ,-)