This blog post was written by Kalpesh Mantri.
You read that right. Jon Snow appears to be back from the dead. That would make “Game of Thrones” fans happy, but unfortunately this Jon Snow is not the same character. This John (with an h) Snow is related to Neutrino exploit kits, one of the commonly used kits used for malware distribution.
Neutrino was first identified in 2013, just months after the kits Angler and Magnitude. Today Neutrino is the second most used kit and is growing very fast. Neutrino usually employs Java exploits to start its attacks. Last month, however, Neutrino was seen using Flash exploits based on CVE-2016-4117.
Recently, the CryptXXX ransomware switched its distribution from the Angler to Neutrino for the first time. Both the pseudo-Darkleech and the EITest ransomware campaigns use Neutrino to deliver CryptXXX, suggesting that Neutrino will grow rapidly in coming months.
Recently, McAfee Labs has found many Neutrino-redirecting URLs using .top domain extensions.
We checked domain information for a few of those sites. By comparing that data, we found that all of the domains were registered by a threat actor using the (likely fake) name John Snow.
“Jon Snow” is quite popular these days due to the appeal of “Game of Thrones.” Perhaps this threat actor is also a fan of the show. This actor used the email address firstname.lastname@example.org to register these domains through Alpnames Limited.
We found more than 700 domains with .top extensions registered by this actor, and most are used as Neutrino URLs. In the past month, this threat actor has registered more than 10 Neutrino domains daily.
As fans of “Game of Thrones,” we looked for other character names from the show. Guess whom we found?
One threat actor registered many .top domains using the name Tyrion Lannister with the email email@example.com. We could not determine the purpose or kits used with these domains.
Apart from these “Thrones” characters, we found a few more threat actors. One, Mayko Evgeniy, used the address firstname.lastname@example.org to register more than 3,800 .top domains.
This threat actor set up most domains as Angler kit URLs. This email address also registered more than 20 domains per day for the use of kits.
We gathered a few more mail IDs used for domain name registration. The following were used for malware distribution:
Based on exploit kit tracking information from the Advanced Threat Research team of McAfee, the following are the most dominant exploit kits in the last 90 days:
Many exploit kits are using domains with .top and .tk extensions.
Organizations and individuals can block all access to every domain with a .top or .tk extension by configuring emails and firewalls. Check here for a complete list of malicious domains found by McAfee.