Introduction Earlier this week, various blogs began reporting about compromised Magento-based e-commerce websites. These compromised sites kicked off infection chains for Neutrino exploit kit (EK). I've seen a few examples of this traffic leading to a Neutrino EK landing page, all dated last week. Sucuri's blog has information concerning the compromised Magento servers [1], while the Malwarebytes blog shows traffic from a compromised Magento site leading to Neutrino EK [2]. The Malwarebytes blog illustrates the flow of traffic for these Neutrino EK infection chains. The examples I've seen were similar, so let's review the traffic. Chain of events The example I can share doesn't have a full infection chain, but it shows the same traffic patterns as the Malwarebytes blog entry.
Last week's chain of events appears to be:
I've represented the traffic in a flow chart:
Examining the traffic
Upon closer examination, last week's traffic followed specific URL patterns. The HTTP GET request to guruincsite.com returned an iframe containing a URL ending with /app/?d22H.
The HTTP GET request to the second URL ending with /app/?d22H returned HTML redirecting to another URL ending with neitrino.php (which I assume has a mistakenly spelled "neutrino").
The HTTP GET request to the third URL ending with neitrino.php returned an iframe pointing to a Neutrino EK landing page.
Final words I can't provide any pcaps related to the recent wave of Magento site compromises, although I did find some Neutrino EK from a different actor on Wednesday 2015-10-21 [3]. The compromised websites that Magento has investigated were not up-to-date. They all needed a patch that was published earlier this year [4]. I haven't seen anything yet that's led me to believe this was caused by a new or unpublished vulnerability. This is probably an issue where people haven't been keeping their software updated or otherwise following poor security practices. Sites will get compromised if they aren't patched and their software kept up-to-date. Running a website on the Internet is like having a house in a bad neighborhood. People are always trying to break in. --- References: [1] https://blog.sucuri.net/2015/10/massive-magento-guruincsite-infection.html |
Brad 436 Posts ISC Handler Oct 22nd 2015 |
Thread locked Subscribe |
Oct 22nd 2015 6 years ago |
Absolutely the most relevant information I come across in a given day - well done Brad.
Thanks, Alan |
Anonymous |
Quote |
Oct 22nd 2015 6 years ago |
I am seeing a lot of Snort 1:36535 (EXPLOIT-KIT Neutrino exploit kit landing page detected (exploit-kit.rules)) being triggered today. Looks like mostly when a webpage is serving up a .js file. This has triggered throughout the day today (the rule was just added yesterday) on well-known websites (NBC News, Huff Post, Dick's Sporting Goods, QVC, AutoTrader). Anyone else seeing this and done some analysis?
|
Colin 1 Posts |
Quote |
Oct 22nd 2015 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!