I personally haven’t documented a Neutrino EK compromise since September 11, 2016. Before that point Neutrino EK was very active in the EK scene as it took the top spot from Angler following the arrest of the Lurk gang. The question is why has there been such a noticeable drop off in Neutrino activity?
Malware Don’t Need Coffee reported in his latest post that on 09/09/16 there was a message on Jabber from a Neutrino seller account stating :
[code language=”css”] We are closed. No new rents, no more extends. [/code]
Malware Don’t Need Coffee also reported that this isn’t the first time we’ve seen this kind of dramatic decrease in Neutrino EK activity. For example, back in 2014 Neutrino disappeared from March all the way until November.
However Neutrino EK hasn’t completely yet. Other EK researchers like Brad from Malware Traffic Analysis have written about Neutrino as recently as of 09/26/16. In that post he found a compromised site using the Afraidgate to redirect users to Neutrino EK.
So what is really going on here? Researches like Malware Don’t Need Coffee are hypothesizing that Neutrino EK might be going private since they have recently stopped its advertising campaign. We will probably still see infections from Neutrino EK but I would expect that this number will continue to decrease with the lack of availability.
If current trends hold then the InfoSec community will continue to see an increase of Rig EK activity as most of the advertising has switched to selling Rig EK.