‘Thrones’ Jon Snow Appears to Employ Neutrino Exploit Kit

This blog post was written by Kalpesh Mantri.

You read that right. Jon Snow appears to be back from the dead. That would make “Game of Thrones” fans happy, but unfortunately this Jon Snow is not the same character. This John (with an h) Snow is related to Neutrino exploit kits, one of the commonly used kits used for malware distribution.

Neutrino was first identified in 2013, just months after the kits Angler and Magnitude. Today Neutrino is the second most used kit and is growing very fast. Neutrino usually employs Java exploits to start its attacks. Last month, however, Neutrino was seen using Flash exploits based on CVE-2016-4117.

Recently, the CryptXXX ransomware switched its distribution from the Angler to Neutrino for the first time. Both the pseudo-Darkleech and the EITest ransomware campaigns use Neutrino to deliver CryptXXX, suggesting that Neutrino will grow rapidly in coming months.

Recently, McAfee Labs has found many Neutrino-redirecting URLs using .top domain extensions.

  • hxxp://eilong.top
  • hxxp://eaautomatic.top
  • hxxp://d2ahave.top

We checked domain information for a few of those sites. By comparing that data, we found that all of the domains were registered by a threat actor using the (likely fake) name John Snow.

kkm_b2_whois_jonSnow

“Jon Snow” is quite popular these days due to the appeal of “Game of Thrones.” Perhaps this threat actor is also a fan of the show. This actor used the email address ivkolyvan@gmail.com to register these domains through Alpnames Limited.

kkm_b2_neutrino_cnt

We found more than 700 domains with .top extensions registered by this actor, and most are used as Neutrino URLs. In the past month, this threat actor has registered more than 10 Neutrino domains daily.

As fans of “Game of Thrones,” we looked for other character names from the show. Guess whom we found?

One threat actor registered many .top domains using the name Tyrion Lannister with the email c0rleone@bk.ru. We could not determine the purpose or kits used with these domains.

kkm_b2_whois_tyrion

 

Apart from these “Thrones” characters, we found a few more threat actors. One, Mayko Evgeniy, used the address maykoe@list.ru to register more than 3,800 .top domains.

kkm_b2_angler_cnt

This threat actor set up most domains as Angler kit URLs. This email address also registered more than 20 domains per day for the use of kits.

We gathered a few more mail IDs used for domain name registration. The following were used for malware distribution:

kkm_b2_mails

 

Based on exploit kit tracking information from the Advanced Threat Research team of McAfee, the following are the most dominant exploit kits in the last 90 days:
kkm_b2_Ek_Details

 

Security Tip

Many exploit kits are using domains with .top and .tk extensions.

  • hxxp://biolexa.tk
  • hxxp://x79.tx7pck9cx.top

Organizations and individuals can block all access to every domain with a .top or .tk extension by configuring emails and firewalls. Check here for a complete list of malicious domains found by McAfee.

Leave a Comment

1 × 3 =