Neutrino EK

The Neutrino exploit kit, a former leader of the exploit kit market, appears to have shut down, with the last activity recorded at the start of April, well over two months ago.

The Neutrino exploit kit appeared on the cybercrime landscape in 2013, and was heavily advertised on Russian-speaking cybercrime forums.

At the time, Neutrino was a small time player among the plethora of Blackhole EK copycats, Angler, Nuclear, and other EKs. As exploit kits came and left, Neutrino's market share grew, accounting for around 4% at the end of 2015.

Its claim to fame came in the summer of 2016, when it became the undisputed leader of the exploit kit market, after two major players — Angler and Nuclear — ceased activity for different reasons.

Neutrino entered a "private mode" in September 2016

Between June and September 2016, Neutrino was the primary suspect in most malvertising campaigns and a favorite tool among cyber-criminals. At the time, Neutrino was by far the most advanced toolkit in an exploit kit landscape that was barren compared to previous years.

Then, out of the blue, the Neutrino authors took the surprising decision to go into "private mode," catering to a small number of selected customers.

"We are closed. no new rents, no extends more," the authors wrote in Jabber/XMPP messages sent to their clientele at the time, in September 2016.

Furthermore, the banners that have advertised their services for years on underground forums also disappeared. Here is the last known Neutrino ad banner, as spotted by security researcher Kafeine, the one who noticed Neutrino going into private mode last year, and the one who noticed it going dark since April.

Last known banned advertising the Neutrino EK
Last known banner advertising the Neutrino EK

But the Neutrino EK didn't die out. For seven more months, Neutrino continued to redirect traffic to its landing pages where it continued to infect users, albeit in much smaller numbers.

The RIG EK rose and took Neutrino's top spot, along with the entire attention of the cyber-security industry.

Neutrino continued to test new exploits

Despite going private, Neutrino's service didn't degrade. Kafeine told Bleeping Computer today the exploit kit continued to function as normal and even tested two new Microsoft Edge exploits back in January 2017.

Neutrino going dark at the start of April came out of the blue and nothing in the exploit kit's activity before that point didn't hint it was having problems.

If it's a permanent shutdown or a temporary break, we cannot tell. This is not the first time when Neutrino took a break. The exploit kit also disappeared between March and November 2014, but at the time the EK was still in its infancy, and inactivity periods happen for new EKs.

Neutrino's lack of activity has also been noticed by the security researcher behind the Execute Malware blog, who didn't include the EK in a recent post summarizing all recent EK campaigns.

Kafeine has also published an image (large version on Imgur) that summarizes all the major Neutrino campaigns from mid-July 2016 to April 2017, when it went offline.

As you go through the timeline, you can see Neutrino carrying all sorts of malware distribution campaigns over the summer of 2016, and then dropping to two main campaigns after September 2016 —
spreading the Cerber ransomware and the Gootkit banking trojan. Both of these malware families are now distributed mainly via the RIG EK.

Since we have no evidence that the operators of the Neutrino EK have been apprehended by authorities, we can never rule out Neutrino making a comeback in the coming months. Let's hope Neutrino's operators have pulled the plug for good.

UPDATE [June 15]: Following our article, F-Secure has also confirmed that Neutrino has ceased all activity. A researcher claiming to have spoken with the Neutrino owner says the exploit kit stopped being profitable. Kafeine says this might be true because Neutrino's exploits were becoming outdated, and it was losing its ability to infect new computers, and hence sustain its business.

Image credits: Kafeine, Bleeping Computer, Arthur Shlain

Related Articles:

Magniber Ransomware Expands From South Korea to Target Other Asian Countries

An Up-to-Date Browser Should Keep Users Safe From Most Exploit Kits

IE Zero-Day Adopted by RIG Exploit Kit After Publication of PoC Code