Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Compromised Magento sites led to Neutrino exploit kit - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Compromised Magento sites led to Neutrino exploit kit

Introduction

Earlier this week, various blogs began reporting about compromised Magento-based e-commerce websites.  These compromised sites kicked off infection chains for Neutrino exploit kit (EK).  I've seen a few examples of this traffic leading to a Neutrino EK landing page, all dated last week.

Sucuri's blog has information concerning the compromised Magento servers [1], while the Malwarebytes blog shows traffic from a compromised Magento site leading to Neutrino EK [2].  The Malwarebytes blog illustrates the flow of traffic for these Neutrino EK infection chains.  The examples I've seen were similar, so let's review the traffic.

Chain of events

The example I can share doesn't have a full infection chain, but it shows the same traffic patterns as the Malwarebytes blog entry. 


Shown above: Traffic from the Malwarebytes blog entry [2].


Shown above:  Other traffic I found, from Friday 2015-10-16.

Last week's chain of events appears to be:

  • Bad actors behind this campaign compromise a Magento website.
  • Pages from compromised sites have injected script pointing to a URL at guruincsite.com.
  • The URL to guruincsite.com returns an iframe pointing to a second malicious domain.
  • Second malicious URL returns HTML redirecting to a third URL ending with neitrino.php.
  • Neitrino.php from the third malicious domain returns an iframe to a Neutrino EK landing page.

I've represented the traffic in a flow chart:


Shown above:  Flow chart for last week's infection chains.

Examining the traffic


Shown above:  Traffic I found on Friday 2015-10-16, this time with IP addresses.

Upon closer examination, last week's traffic followed specific URL patterns.  The HTTP GET request to guruincsite.com returned an iframe containing a URL ending with /app/?d22H.


Shown above:  HTTP GET request to guruincsite.com.

The HTTP GET request to the second URL ending with /app/?d22H returned HTML redirecting to another URL ending with neitrino.php (which I assume has a mistakenly spelled "neutrino").


Shown above:  HTTP GET request to the second URL.

The HTTP GET request to the third URL ending with neitrino.php returned an iframe pointing to a Neutrino EK landing page.


Shown above:  HTTP GET request to the third URL.

Final words

I can't provide any pcaps related to the recent wave of Magento site compromises, although I did find some Neutrino EK from a different actor on Wednesday 2015-10-21 [3].

The compromised websites that Magento has investigated were not up-to-date.  They all needed a patch that was published earlier this year [4].  I haven't seen anything yet that's led me to believe this was caused by a new or unpublished vulnerability.  This is probably an issue where people haven't been keeping their software updated or otherwise following poor security practices.

Sites will get compromised if they aren't patched and their software kept up-to-date.  Running a website on the Internet is like having a house in a bad neighborhood.  People are always trying to break in.

---
Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] https://blog.sucuri.net/2015/10/massive-magento-guruincsite-infection.html
[2] https://blog.malwarebytes.org/exploits-2/2015/10/new-neutrino-ek-campaign-drops-andromeda/
[3] http://malware-traffic-analysis.net/2015/10/21/index.html
[4] https://magento.com/security/news/important-security-update

Brad

314 Posts
ISC Handler
Absolutely the most relevant information I come across in a given day - well done Brad.

Thanks,
Alan
Anonymous
I am seeing a lot of Snort 1:36535 (EXPLOIT-KIT Neutrino exploit kit landing page detected (exploit-kit.rules)) being triggered today. Looks like mostly when a webpage is serving up a .js file. This has triggered throughout the day today (the rule was just added yesterday) on well-known websites (NBC News, Huff Post, Dick's Sporting Goods, QVC, AutoTrader). Anyone else seeing this and done some analysis?
Colin

1 Posts

Sign Up for Free or Log In to start participating in the conversation!