I've monitoring closely and I've detected that the number of Neutrino malicious flash files have increased drastically.
The common pattern is that the shellcode inside the flash, acting as a dropper, is using URL in ."top" domains recently created.
This is not new at all as exploit kits have been abusing free registration domains. Some months ago I wrote about how to hunt EK abusing DGA algorithm with Splunk.
From the flash files I checked, the list of IOC (Subdomain + Domain ) I got the following list:
ftkuo.t2afeel.top
nsafjq.ucohand.top
daikbafklp.orastudy.top
iongqma.umidday0.top
mbhfzh.t1arealize.top
xzjetzk.c5aneed.top
hbxhetum.s2chinchilla.top
ceikjq.d4arachnid.top
ufzgyua.y0antelope.top
ztdctbmgh.e4aconsider.top
eaamuodb.k1chicken.top
gruadqyqo.k1chicken.top
jpaxlpsexm.akeducationug.top
rshhrnmcp.r9shark.top
ewbppd.orastudy.top
epkzi.j5ahandle.top
yjotvlkfo.shouldblue.top
nhxzmkcdfj.separateblue.top
kmsmu.shareblack.top
azqwhappyh.growpink.top
qsdeawdet.r4amove.top
Those domains are registered under these emails:
ivkolyvan@gmail.com, zizsdcqe@6paq.com, alvertafajer@yahoo.com
Looking at other "top" domains registered with those account, since 1st of June, I got an interesting list of domains I have made public: http://pastebin.com/NXHAdnYt
So it is time to hunt on your DNS queries ,-)
