Neptune Exploit Kit

On 03/10/17 there were postings on various forums about an exploit kit named Neptune. The author claims it has 17 different exploits, including some fresh CVEs from 2017.

Below is an image from one of the advertisements:

NeptuneEK

Claimed features include a malicious domain detect rotation trigger, stenography, domain auto-rotator, professional user interface (template for the interface can be found HERE), FUD (fully undetectable) exploits, support for different browsers, as well as listing the following CVEs:

  • CVE-2017-3823 (Cisco WebEx browser extension vulnerability)
  • CVE-2017-3289 (Java SE 7u121, Java SE 8u111, Java SE 8u112)
  • CVE-2017-2995 (Adobe Flash Player versions 24.0.0.194 and earlier)
  • CVE-2017-0037 (Microsoft Internet Explorer 11 and Microsoft Edge)
  • CVE-2016-7200 (Chakra JavaScript scripting engine in Microsoft Edge)
  • CVE-2016-7201 (Chakra JavaScript scripting engine in Microsoft Edge)
  • CVE-2016-4117 (Adobe Flash Player 21.0.0.226 and earlier)
  • CVE-2016-0189 (Microsoft (1) JScript 5.8 and (2) VBScript 5.7 and 5.8 engines)
  • CVE-2016-0034 (Microsoft Silverlight 5 before 5.1.41212.0)
  • CVE-2015-7645 (Adobe Flash Player 18.x through 18.0.0.252 and 19.x through 19.0.0.207 on Windows)
  • CVE-2015-6086 (Microsoft Internet Explorer 9 through 11)
  • CVE-2015-2419 (JScript 9 in Microsoft Internet Explorer 10 and 11)

The OP says that Flash and Java work silently on all browsers. They also stated that Firefox and Opera have their own landing pages and IE has its own exploit landing page. Chrome, however, is served no landing.

Here are some images of the dashboard and statistics:

NeptuneEK

Another image of browser and OS statistics:

more stats

The author is also advertising exploit kit protection features, as well as a 3 tiered package system with package 3 costing the most at $1,200 per week and $4,000 per month:

NeptuneEK 2

The tiered packages come with different exploits, with package 1 offering only IE and Flash exploits.

I have yet to run into an infection chain involving this exploit kit so I can’t confirm any of these claims. Furthermore, the OP had their account closed on one of the forums and the thread was closed. Some people in the forum thread were accusing the OP of this being a scam. If anyone comes across more information you can contact me via Twitter.

Until next time!

  1. Very helpful. Thank you.

    Liked by 1 person

    Reply

  2. Hi.

    Can you guide me to gather similar data in accordance to exploit kits? For instance, CVE IDs exploited by EKs.

    The EKs can be Astrum or Blackhole or Hanjuan or Rig. It will be a great aid for me.

    Thanks in advance.

    Like

    Reply

  3. Sundown EK gone missing, Terror EK flavours seen in active drive-by campaigns – All-Daily-News April 16, 2017 at 6:19 pm

    […] there is a thing right now with rebranding and Terror EK has been known to be called Blaze, Neptune, or […]

    Like

    Reply

    1. Okay. Thank you very much for the info.

      Liked by 1 person

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: