On 03/10/17 there were postings on various forums about an exploit kit named Neptune. The author claims it has 17 different exploits, including some fresh CVEs from 2017.
Below is an image from one of the advertisements:
Claimed features include a malicious domain detect rotation trigger, stenography, domain auto-rotator, professional user interface (template for the interface can be found HERE), FUD (fully undetectable) exploits, support for different browsers, as well as listing the following CVEs:
- CVE-2017-3823 (Cisco WebEx browser extension vulnerability)
- CVE-2017-3289 (Java SE 7u121, Java SE 8u111, Java SE 8u112)
- CVE-2017-2995 (Adobe Flash Player versions 126.96.36.199 and earlier)
- CVE-2017-0037 (Microsoft Internet Explorer 11 and Microsoft Edge)
- CVE-2016-4117 (Adobe Flash Player 188.8.131.52 and earlier)
- CVE-2016-0189 (Microsoft (1) JScript 5.8 and (2) VBScript 5.7 and 5.8 engines)
- CVE-2016-0034 (Microsoft Silverlight 5 before 5.1.41212.0)
- CVE-2015-7645 (Adobe Flash Player 18.x through 184.108.40.206 and 19.x through 220.127.116.11 on Windows)
- CVE-2015-6086 (Microsoft Internet Explorer 9 through 11)
- CVE-2015-2419 (JScript 9 in Microsoft Internet Explorer 10 and 11)
The OP says that Flash and Java work silently on all browsers. They also stated that Firefox and Opera have their own landing pages and IE has its own exploit landing page. Chrome, however, is served no landing.
Here are some images of the dashboard and statistics:
Another image of browser and OS statistics:
The author is also advertising exploit kit protection features, as well as a 3 tiered package system with package 3 costing the most at $1,200 per week and $4,000 per month:
The tiered packages come with different exploits, with package 1 offering only IE and Flash exploits.
I have yet to run into an infection chain involving this exploit kit so I can’t confirm any of these claims. Furthermore, the OP had their account closed on one of the forums and the thread was closed. Some people in the forum thread were accusing the OP of this being a scam. If anyone comes across more information you can contact me via Twitter.
Until next time!