A few days ago there were several news that some threat actors were switching from Angler EK to Neutrino EK. The blog "Malware don't need Coffee" made public some analysis about the dropping of Angler. Moreover, Brad Duncan, from malware-traffic-analysis.net wrote on SANS ISC about this same topic.
I've monitoring closely and I've detected that the number of Neutrino malicious flash files have increased drastically.
The common pattern is that the shellcode inside the flash, acting as a dropper, is using URL in ."top" domains recently created.
This is not new at all as exploit kits have been abusing free registration domains. Some months ago I wrote about how to hunt EK abusing DGA algorithm with Splunk.
From the flash files I checked, the list of IOC (Subdomain + Domain ) I got the following list:
Those domains are registered under these emails:
firstname.lastname@example.org, email@example.com, firstname.lastname@example.org
Looking at other "top" domains registered with those account, since 1st of June, I got an interesting list of domains I have made public: http://pastebin.com/NXHAdnYt
So it is time to hunt on your DNS queries ,-)