Neptune Exploit Kit

On 03/10/17 there were postings on various forums about an exploit kit named Neptune. The author claims it has 17 different exploits, including some fresh CVEs from 2017.

Below is an image from one of the advertisements:

NeptuneEK

Claimed features include a malicious domain detect rotation trigger, stenography, domain auto-rotator, professional user interface (template for the interface can be found HERE), FUD (fully undetectable) exploits, support for different browsers, as well as listing the following CVEs:

  • CVE-2017-3823 (Cisco WebEx browser extension vulnerability)
  • CVE-2017-3289 (Java SE 7u121, Java SE 8u111, Java SE 8u112)
  • CVE-2017-2995 (Adobe Flash Player versions 24.0.0.194 and earlier)
  • CVE-2017-0037 (Microsoft Internet Explorer 11 and Microsoft Edge)
  • CVE-2016-7200 (Chakra JavaScript scripting engine in Microsoft Edge)
  • CVE-2016-7201 (Chakra JavaScript scripting engine in Microsoft Edge)
  • CVE-2016-4117 (Adobe Flash Player 21.0.0.226 and earlier)
  • CVE-2016-0189 (Microsoft (1) JScript 5.8 and (2) VBScript 5.7 and 5.8 engines)
  • CVE-2016-0034 (Microsoft Silverlight 5 before 5.1.41212.0)
  • CVE-2015-7645 (Adobe Flash Player 18.x through 18.0.0.252 and 19.x through 19.0.0.207 on Windows)
  • CVE-2015-6086 (Microsoft Internet Explorer 9 through 11)
  • CVE-2015-2419 (JScript 9 in Microsoft Internet Explorer 10 and 11)

The OP says that Flash and Java work silently on all browsers. They also stated that Firefox and Opera have their own landing pages and IE has its own exploit landing page. Chrome, however, is served no landing.

Here are some images of the dashboard and statistics:

NeptuneEK

Another image of browser and OS statistics:

more stats

The author is also advertising exploit kit protection features, as well as a 3 tiered package system with package 3 costing the most at $1,200 per week and $4,000 per month:

NeptuneEK 2

The tiered packages come with different exploits, with package 1 offering only IE and Flash exploits.

I have yet to run into an infection chain involving this exploit kit so I can’t confirm any of these claims. Furthermore, the OP had their account closed on one of the forums and the thread was closed. Some people in the forum thread were accusing the OP of this being a scam. If anyone comes across more information you can contact me via Twitter.

Until next time!

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

4 thoughts on “Neptune Exploit Kit

  • Pingback: Sundown EK gone missing, Terror EK flavours seen in active drive-by campaigns – All-Daily-News

    • April 17, 2017 at 5:29 AM
      Permalink

      Okay. Thank you very much for the info.

      Reply
  • March 31, 2017 at 1:02 PM
    Permalink

    Hi.

    Can you guide me to gather similar data in accordance to exploit kits? For instance, CVE IDs exploited by EKs.

    The EKs can be Astrum or Blackhole or Hanjuan or Rig. It will be a great aid for me.

    Thanks in advance.

    Reply
  • March 13, 2017 at 1:37 PM
    Permalink

    Very helpful. Thank you.

    Reply

Leave a Comment

%d bloggers like this: