History of “Neptune EK”:
On March 16th, 2017, I received a DM from the author of the now defunct Terror exploit kit. The DM surprised me as he was blocking me on Twitter. The DM was as follows:
The bit.ly link redirected me to a server hosting exploits from what was then being marketed by the author as “Neptune” exploit kit:
179.43.144.12/407.php?x=ls&d=%2Fvar%2Fwww%2Ffuckingaids%2Ffiles%2Fexploit_01&sort=0a
The first mention of Neptune exploit kit appeared on numerous underground forums around March 10th, 2017. A full post on that can be found HERE. Here was the login panel for Neptune EK:
The files that I was interested in were located on the server at /var/www/fuckingaids/files/. I took the opportunity to download the various files located in the exploit directories. Below is an image of the files that I downloaded:
Files downloaded from the 179.43.144.12
Some of these filenames will come up later in the post. Specifically, cve-2015-2419, cve-2016-0189, oiuhygnjda.swf and wdioj124.swf.
The author confirmed that Neptune was his exploit kit:
His motivations for releasing the kit appear to be that he was done dealing with it:
The validity of Neptune EK had come under fire on numerous underground forums. In total I was told that this was the authors 3rd or 4th attempt at re-branding his kit (Terror EK, Blaze EK, Neptune EK, etc.).
Here are some very good articles written by Simon Kenin at SpiderLabs that talks about the author and his exploit kits:
https://www.trustwave.com/Resources/SpiderLabs-Blog/Terror-Exploit-Kit–More-like-Error-Exploit-Kit/
https://www.trustwave.com/Resources/SpiderLabs-Blog/Underground-Scams–Cutting-the-Head-Off-a-Snake/
New EK Traffic is Spotted
About a week after I was sent the bit.ly link for the Neptune exploits I received another DM from the author showing traffic to his kit:
IP address 159.203.185.4
Around the same time he swore off EKs there was a report published (March 15th, 2017) by FireEye’s Zain Gardezi. That report can be seen HERE. In Zain’s report were numerous referers and IOCs. The one IP from that report that we will be focusing on is 173.208.245.114, which is a shadow server. Fast forward a little more than a week later and we see the traffic from 159.203.185.4 (mentioned in the DM above). Other EK researchers like Brad were posting their findings from the shadow server at 173.208.245.114. There was also a shadow server domain posted on Twitter from the EK researcher Zerophage (he also has numerous posts about this traffic).
The shadow server belongs to a Kansas City based hosting provider called Wholesale Internet, which had some history with the Rustock botnet back in 2011. Wholesale Internet disputed claims that they knew about their servers being used in the botnet. Wholesale also offers cPanel licenses for around $36/mo. I only note that because checking the server shows that it is using cPanel:
Below is the recent resolution history for 173.208.245.114:
| Domain | First Seen | Last Seen |
| ns2.freeprizes.org | 1/12/2017 23:23 | 4/3/2017 14:50 |
| ns1.freeprizes.org | 1/12/2017 23:23 | 4/3/2017 14:50 |
| schema.club | 4/2/2017 18:00 | 4/3/2017 14:50 |
| www[.]orex.club | 4/3/2017 14:03 | 4/3/2017 14:03 |
| www[.]schema.club | 4/3/2017 14:01 | 4/3/2017 14:01 |
| paydayloanservice.net | 3/9/2017 7:43 | 4/3/2017 12:30 |
| sayvinatge.club | 3/30/2017 19:19 | 4/3/2017 11:34 |
| orex.club | 4/1/2017 18:10 | 4/3/2017 9:11 |
| maddow.club | 3/30/2017 0:00 | 4/1/2017 19:18 |
| teenchat.pro | 3/26/2017 19:01 | 3/30/2017 19:30 |
| sexyvideos.club | 3/28/2017 16:40 | 3/30/2017 14:17 |
| paydayloanservice.club | 3/26/2017 0:00 | 3/29/2017 22:48 |
| sextosex.club | 3/28/2017 9:09 | 3/29/2017 9:33 |
| paydayloanservice.loan | 3/24/2017 13:27 | 3/27/2017 11:06 |
| www[.]paydayloanservice.net | 3/24/2017 13:56 | 3/24/2017 13:56 |
| teenchathub.com | 3/11/2017 9:02 | 3/24/2017 3:26 |
| ns1.role-playing.com | 7/14/2014 2:13 | 3/23/2017 22:24 |
| freeitunesgenerator.com | 3/13/2017 11:07 | 3/23/2017 18:04 |
| loansplanet.club | 2/18/2017 4:39 | 3/21/2017 3:43 |
| freecoupouns.club | 2/13/2017 12:15 | 3/19/2017 11:12 |
| paydayloanservice.octogus.com | 3/18/2017 12:31 | 3/18/2017 12:31 |
| www[.]freeitunesgenerator.com | 3/12/2017 17:29 | 3/12/2017 17:29 |
| getfreeitunes.club | 2/28/2017 13:53 | 3/7/2017 21:36 |
| www[.]loansplanet.club | 3/6/2017 16:33 | 3/6/2017 16:33 |
| loansplanet.site | 2/13/2017 10:20 | 3/5/2017 16:57 |
| bitmore.club | 2/9/2017 5:32 | 3/5/2017 1:30 |
| tenfacts.club | 2/25/2017 8:46 | 3/4/2017 22:41 |
| bitmore.store | 2/11/2017 11:07 | 3/3/2017 13:25 |
| octogus.com | 1/21/2017 23:57 | 3/3/2017 6:04 |
| anomed.tk | 2/25/2017 17:12 | 2/25/2017 17:12 |
| loansplanet.store | 2/24/2017 10:53 | 2/25/2017 3:40 |
| careermind.club | 2/10/2017 10:09 | 2/24/2017 12:40 |
| www[.]bitmore.store | 2/20/2017 13:40 | 2/20/2017 13:40 |
| anomed.gq | 2/5/2017 8:51 | 2/13/2017 2:13 |
| instantpayday.club | 2/3/2017 12:28 | 2/11/2017 23:37 |
| anomed.ga | 2/3/2017 14:16 | 2/11/2017 20:26 |
| www[.]bitmore.club | 2/9/2017 18:22 | 2/9/2017 18:22 |
| paydayloans.gq | 2/5/2017 8:49 | 2/7/2017 22:26 |
| paydayloans.ml | 2/6/2017 21:58 | 2/7/2017 20:00 |
| www[.]instantpayday.club | 2/6/2017 14:07 | 2/6/2017 14:07 |
| www[.]anomed.ga | 2/6/2017 14:05 | 2/6/2017 14:05 |
| nometa.info | 1/14/2017 6:56 | 2/3/2017 9:29 |
| freecrditkarma.us | 1/14/2017 7:42 | 2/2/2017 20:28 |
| dailymediaexpress.com | 1/15/2017 11:50 | 2/2/2017 18:40 |
| www[.]dailymediaexpress.octogus.com | 1/21/2017 6:08 | 1/21/2017 14:36 |
| dailymediaexpress.octogus.com | 1/21/2017 6:08 | 1/21/2017 6:08 |
| www[.]nometa.octogus.com | 1/18/2017 9:52 | 1/18/2017 9:52 |
| nometa.octogus.com | 1/18/2017 9:51 | 1/18/2017 9:51 |
Infection Chains:
The domains that I used for my research include sexyvideos.club, orex.club, and schema.club.
My first redirection chain involving this exploit kit originated on 03/29/17 at 19:01 GMT. The referer that I used was sexyvideos.club. Below is the redirection chain from my first run:
Below is the TCP stream showing my GET request for sexyvideos.club as well as the servers response:
As you can see from the image above the server returned a “302 Found” containing a new location, which also happens to be a URL for an exploit kit. Many people on Twitter had also located this referer and captured the subsequent traffic. People were speculating that it was Terror EK due to its similarities. This is likely a re-themed version (more on that later).
The host then makes the GET request for the new location at 159.203.185.4/e71cac9dd645d92189c49e2b30ec627a/5ed0aaf4f04ffac1d552133e4a559be8
The response from the server is compressed so I’ve attached an image of the code below:
The section of code contained within the head tags, seen in the image above, is a block of packed JavaScript. Once unpacked, essentially the function of this code is to identify possible plugins that might exist on the victim’s machine. More specifically for ShockwaveFlash, Adobe Reader, MS Silverlight, and QuickTime plugins with their associated version numbers. Additionally, there is a check for whether Java is enabled. The remainder of the code, the portion within the body tags, is a web form that will be POST’ed back to the remote server at 159.203.185.4/5ed0aaf4f04ffac1d552133e4a559be8/312774/58dc048075687. Some of the fields in the form appeared to be statically generated, likely by the server; while the other four fields are dynamically determined at run time. The response returned from the POST back to the remote server contained more code.
The file returned was very dense, containing three separate pairs of html tags within the same response. The first section of code contained a block of VBScript and JavaScript; which I noticed contained a hard-coded URL – 159.203.185.4/d/5ed0aaf4f04ffac1d552133e4a559be8/?q=r4&r=045623a330973e9af93d63bcf7253976&e=cve20160189. The final parameter in the URI “e=cve20160189”, led me to believe this was specifying an exploit to use CVE-2016-0189. After further research for PoCs related to this exploit, I stumbled across a GitHub repository that contained oddly familiar looking code. Sure enough, the code present was the exploit for this vulnerability in the Microsoft JScript and VBScript engines.
The VBScript makes a GET request for the CVE mentioned above, creates a folder under the TMP environment variable path, creates a file named “shell32.dll” from hard-coded array data, spawns an executable with the naming convention being 8 characters long ending in “.exe” (with the selection characters from “abcdehiklmnoprstuw02346”), and ultimately execute the executable. Turns out this GET request was the post-exploitation payload, the exploit itself was embedded in the original response to the POST request.
The other two blocks contained JavaScript targeting a different vulnerability, CVE-2015-2419; which was a vulnerability that debuted in the Angler EK days. Further analysis into the in-the-wild exploits and the vulnerability itself have already been done by both FireEye and Checkpoint.
Here is an example of another run using the referer orex.club:
You’ll notice that in the traffic shown above there are two request for “oiuhygnjda.swf” and “wdioj124.swf.” Remember that these filenames were seen in the Neptune EK dump.
Here is the code returned by the GET request for /6c5564c46aaceaa02a90726ca1c50903/a39401275d1b300aa789fb22aea4148a:
The first run contained similar code to the snapshot seen above, the only difference being the objects used – this used Flash objects and the former used Silverlight. However, they both contained segments of base64 encoded data; which once decoded revealed the following direct IP address URL:
162.243.119.23/6c5564c46aaceaa02a90726ca1c50903/?q=n&r=none&e=flash
Here is yet another run using orex.club:
In this run we can see that the last GET request (payload) contains both “cve20160189” and “cve20152419” in the URI. We discussed that CVE earlier in the post. The payload that I got was Smoke Loader (see the IOCs section for more details).
My third run was done using schema.club. It too redirected my host to this exploit kit and dropped Smoke Loader:
Further reconnaissance led to directories being hosted on a web server tied to the traffic. The request returns a “403 Forbidden” but also gives me the location of what appears to be a back-end web server. Below is an image of the 403 Forbidden page:
After doing some more digging I located a domain associated with the server. Lastly, I found a login panel for something named “eris” with the jabber contact information being “erisek@null.pm”:
The “ek” in the XMPP address stands for Exploit Kit
The Whois record for the domain shows it was created at the end of March 2017. This matches the time frame from when the code was leaked. The author of Terror EK believes that the kit could have been re-themed.
It should be noted that he stated that he wasn’t involved and that he isn’t doing anything illegal anymore.
I am now starting to see advertisements for Eris exploit kit on a well known underground forum.
IOCs
- 173.208.245.114 – orex.club – Shadow server domain
- 173.208.245.114 – sexyvides.club – Shadow server domain
- 173.208.245.114 – schema.club – Shadow server domain
- 162.243.119.23 – “Eris EK”? Terror EK / Neptune EK
- 159.203.185.4 – “Eris EK”? Terror EK / Neptune EK
Hashes
SHA256: 4b724caed6770e59a176bb1640884873c6976e38f6e2e5ddd7f6dbd70a52ebfd
File name: 5ed0aaf4f04ffac1d552133e4a559be8
SHA256: 38bde48e5aebcc1f06e20c87a5f3be930ca3f1c433abdfa7c5c2017bc9d90c00
File name: 58dc048075687
SHA256: 8a0c69b0eb080eaa02f0b5a8fcd8871e843833a9a83de7a5dc463270902a4aa4
File name: 9526e055c9757becf45c5190facfd9f2
SHA256: 1c2c4d1520829642367169287fd66a2e4112d4262fa99d8a44796eab88383f1b
File name: a39401275d1b300aa789fb22aea4148a
SHA256: 1b9188a7557652c0d9f0383738c9678ec47cc8b7bb8ee019495eb41cb08e64ee
File name: 0bku033t.exe
ID: Smoke Loader
Hybrid-Analysis Report
SHA256: 50a6f777215463cedbe7aee488bce51de4bbdd86d60d5b6c2212df6a7e6f5c79
File name: 4bihclea.exe
ID: Smoke Loader
Hybrid-Analysis Report
Malicious Artifacts (password is “infected”)
Shout-out to my buddy irdivision who co-authored this post with me!
Malware breakdown 