History of “Neptune EK”:
On March 16th, 2017, I received a DM from the author of the now defunct Terror exploit kit. The DM surprised me as he was blocking me on Twitter. The DM was as follows:
The bit.ly link redirected me to a server hosting exploits from what was then being marketed by the author as “Neptune” exploit kit:
The first mention of Neptune exploit kit appeared on numerous underground forums around March 10th, 2017. A full post on that can be found HERE. Here was the login panel for Neptune EK:
The files that I was interested in were located on the server at /var/www/fuckingaids/files/. I took the opportunity to download the various files located in the exploit directories. Below is an image of the files that I downloaded:
Some of these filenames will come up later in the post. Specifically, cve-2015-2419, cve-2016-0189, oiuhygnjda.swf and wdioj124.swf.
The author confirmed that Neptune was his exploit kit:
His motivations for releasing the kit appear to be that he was done dealing with it:
The validity of Neptune EK had come under fire on numerous underground forums. In total I was told that this was the authors 3rd or 4th attempt at re-branding his kit (Terror EK, Blaze EK, Neptune EK, etc.).
Here are some very good articles written by Simon Kenin at SpiderLabs that talks about the author and his exploit kits:
New EK Traffic is Spotted
About a week after I was sent the bit.ly link for the Neptune exploits I received another DM from the author showing traffic to his kit:
Around the same time he swore off EKs there was a report published (March 15th, 2017) by FireEye’s Zain Gardezi. That report can be seen HERE. In Zain’s report were numerous referers and IOCs. The one IP from that report that we will be focusing on is 22.214.171.124, which is a shadow server. Fast forward a little more than a week later and we see the traffic from 126.96.36.199 (mentioned in the DM above). Other EK researchers like Brad were posting their findings from the shadow server at 188.8.131.52. There was also a shadow server domain posted on Twitter from the EK researcher Zerophage (he also has numerous posts about this traffic).
The shadow server belongs to a Kansas City based hosting provider called Wholesale Internet, which had some history with the Rustock botnet back in 2011. Wholesale Internet disputed claims that they knew about their servers being used in the botnet. Wholesale also offers cPanel licenses for around $36/mo. I only note that because checking the server shows that it is using cPanel:
Below is the recent resolution history for 184.108.40.206:
|Domain||First Seen||Last Seen|
|ns2.freeprizes.org||1/12/2017 23:23||4/3/2017 14:50|
|ns1.freeprizes.org||1/12/2017 23:23||4/3/2017 14:50|
|schema.club||4/2/2017 18:00||4/3/2017 14:50|
|www[.]orex.club||4/3/2017 14:03||4/3/2017 14:03|
|www[.]schema.club||4/3/2017 14:01||4/3/2017 14:01|
|paydayloanservice.net||3/9/2017 7:43||4/3/2017 12:30|
|sayvinatge.club||3/30/2017 19:19||4/3/2017 11:34|
|orex.club||4/1/2017 18:10||4/3/2017 9:11|
|maddow.club||3/30/2017 0:00||4/1/2017 19:18|
|teenchat.pro||3/26/2017 19:01||3/30/2017 19:30|
|sexyvideos.club||3/28/2017 16:40||3/30/2017 14:17|
|paydayloanservice.club||3/26/2017 0:00||3/29/2017 22:48|
|sextosex.club||3/28/2017 9:09||3/29/2017 9:33|
|paydayloanservice.loan||3/24/2017 13:27||3/27/2017 11:06|
|www[.]paydayloanservice.net||3/24/2017 13:56||3/24/2017 13:56|
|teenchathub.com||3/11/2017 9:02||3/24/2017 3:26|
|ns1.role-playing.com||7/14/2014 2:13||3/23/2017 22:24|
|freeitunesgenerator.com||3/13/2017 11:07||3/23/2017 18:04|
|loansplanet.club||2/18/2017 4:39||3/21/2017 3:43|
|freecoupouns.club||2/13/2017 12:15||3/19/2017 11:12|
|paydayloanservice.octogus.com||3/18/2017 12:31||3/18/2017 12:31|
|www[.]freeitunesgenerator.com||3/12/2017 17:29||3/12/2017 17:29|
|getfreeitunes.club||2/28/2017 13:53||3/7/2017 21:36|
|www[.]loansplanet.club||3/6/2017 16:33||3/6/2017 16:33|
|loansplanet.site||2/13/2017 10:20||3/5/2017 16:57|
|bitmore.club||2/9/2017 5:32||3/5/2017 1:30|
|tenfacts.club||2/25/2017 8:46||3/4/2017 22:41|
|bitmore.store||2/11/2017 11:07||3/3/2017 13:25|
|octogus.com||1/21/2017 23:57||3/3/2017 6:04|
|anomed.tk||2/25/2017 17:12||2/25/2017 17:12|
|loansplanet.store||2/24/2017 10:53||2/25/2017 3:40|
|careermind.club||2/10/2017 10:09||2/24/2017 12:40|
|www[.]bitmore.store||2/20/2017 13:40||2/20/2017 13:40|
|anomed.gq||2/5/2017 8:51||2/13/2017 2:13|
|instantpayday.club||2/3/2017 12:28||2/11/2017 23:37|
|anomed.ga||2/3/2017 14:16||2/11/2017 20:26|
|www[.]bitmore.club||2/9/2017 18:22||2/9/2017 18:22|
|paydayloans.gq||2/5/2017 8:49||2/7/2017 22:26|
|paydayloans.ml||2/6/2017 21:58||2/7/2017 20:00|
|www[.]instantpayday.club||2/6/2017 14:07||2/6/2017 14:07|
|www[.]anomed.ga||2/6/2017 14:05||2/6/2017 14:05|
|nometa.info||1/14/2017 6:56||2/3/2017 9:29|
|freecrditkarma.us||1/14/2017 7:42||2/2/2017 20:28|
|dailymediaexpress.com||1/15/2017 11:50||2/2/2017 18:40|
|www[.]dailymediaexpress.octogus.com||1/21/2017 6:08||1/21/2017 14:36|
|dailymediaexpress.octogus.com||1/21/2017 6:08||1/21/2017 6:08|
|www[.]nometa.octogus.com||1/18/2017 9:52||1/18/2017 9:52|
|nometa.octogus.com||1/18/2017 9:51||1/18/2017 9:51|
The domains that I used for my research include sexyvideos.club, orex.club, and schema.club.
My first redirection chain involving this exploit kit originated on 03/29/17 at 19:01 GMT. The referer that I used was sexyvideos.club. Below is the redirection chain from my first run:
Below is the TCP stream showing my GET request for sexyvideos.club as well as the servers response:
As you can see from the image above the server returned a “302 Found” containing a new location, which also happens to be a URL for an exploit kit. Many people on Twitter had also located this referer and captured the subsequent traffic. People were speculating that it was Terror EK due to its similarities. This is likely a re-themed version (more on that later).
The host then makes the GET request for the new location at 220.127.116.11/e71cac9dd645d92189c49e2b30ec627a/5ed0aaf4f04ffac1d552133e4a559be8
The response from the server is compressed so I’ve attached an image of the code below:
The VBScript makes a GET request for the CVE mentioned above, creates a folder under the TMP environment variable path, creates a file named “shell32.dll” from hard-coded array data, spawns an executable with the naming convention being 8 characters long ending in “.exe” (with the selection characters from “abcdehiklmnoprstuw02346”), and ultimately execute the executable. Turns out this GET request was the post-exploitation payload, the exploit itself was embedded in the original response to the POST request.
Here is an example of another run using the referer orex.club:
You’ll notice that in the traffic shown above there are two request for “oiuhygnjda.swf” and “wdioj124.swf.” Remember that these filenames were seen in the Neptune EK dump.
Here is the code returned by the GET request for /6c5564c46aaceaa02a90726ca1c50903/a39401275d1b300aa789fb22aea4148a:
The first run contained similar code to the snapshot seen above, the only difference being the objects used – this used Flash objects and the former used Silverlight. However, they both contained segments of base64 encoded data; which once decoded revealed the following direct IP address URL:
Here is yet another run using orex.club:
In this run we can see that the last GET request (payload) contains both “cve20160189” and “cve20152419” in the URI. We discussed that CVE earlier in the post. The payload that I got was Smoke Loader (see the IOCs section for more details).
My third run was done using schema.club. It too redirected my host to this exploit kit and dropped Smoke Loader:
Further reconnaissance led to directories being hosted on a web server tied to the traffic. The request returns a “403 Forbidden” but also gives me the location of what appears to be a back-end web server. Below is an image of the 403 Forbidden page:
After doing some more digging I located a domain associated with the server. Lastly, I found a login panel for something named “eris” with the jabber contact information being “firstname.lastname@example.org”:
The Whois record for the domain shows it was created at the end of March 2017. This matches the time frame from when the code was leaked. The author of Terror EK believes that the kit could have been re-themed.
It should be noted that he stated that he wasn’t involved and that he isn’t doing anything illegal anymore.
I am now starting to see advertisements for Eris exploit kit on a well known underground forum.
- 18.104.22.168 – orex.club – Shadow server domain
- 22.214.171.124 – sexyvides.club – Shadow server domain
- 126.96.36.199 – schema.club – Shadow server domain
- 188.8.131.52 – “Eris EK”? Terror EK / Neptune EK
- 184.108.40.206 – “Eris EK”? Terror EK / Neptune EK
File name: 5ed0aaf4f04ffac1d552133e4a559be8
File name: 58dc048075687
File name: 9526e055c9757becf45c5190facfd9f2
File name: a39401275d1b300aa789fb22aea4148a
File name: 0bku033t.exe
ID: Smoke Loader
File name: 4bihclea.exe
ID: Smoke Loader
Malicious Artifacts (password is “infected”)
Shout-out to my buddy irdivision who co-authored this post with me!