{"id":90,"date":"2018-08-29T16:19:40","date_gmt":"2018-08-29T15:19:40","guid":{"rendered":"http:\/\/fortgale.com\/news\/?p=90"},"modified":"2026-06-08T22:31:52","modified_gmt":"2026-06-08T22:31:52","slug":"neutrino-malware-campaign-infections","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/neutrino-malware-campaign-infections\/","title":{"rendered":"Malware campaign \u2014 Neutrino infections"},"content":{"rendered":"<p style=\"text-align: justify\">Below is an analysis of the Neutrino Trojan. Among recent malware campaigns employing Neutrino, in which an Office suite attachment serves as the initial infection stage, a technique has recently been introduced to increase message reliability and bypass automated malware analysis systems.<\/p>\n<h2 style=\"text-align: justify\">Delivery Method<\/h2>\n<p style=\"text-align: justify\">The infection technique and malware campaign typology present no novelty in the context of malware infections, having been well <a href=\"https:\/\/www.malware-traffic-analysis.net\/2018\/08\/21\/index2.html\">documented for some time.<\/a><\/p>\n<p style=\"text-align: justify\">Infection occurs via email with a password-protected malicious attachment. The password is contained within the email body. This compels the user to treat the attachment as trustworthy.<\/p>\n<p style=\"text-align: justify\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2018\/08\/screen-1024x769.jpg\" alt=\"\" width=\"750\" height=\"563\" class=\"alignnone wp-image-91 size-large\" loading=\"lazy\"><\/p>\n<p style=\"text-align: justify\">Upon entering the password, the document appears as follows:<\/p>\n<p style=\"text-align: justify\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2018\/08\/word.jpg\" alt=\"\" width=\"915\" height=\"750\" class=\"alignnone wp-image-92 size-full\" loading=\"lazy\"><\/p>\n<p style=\"text-align: justify\">Should the user enable the Macro, it proceeds to download and execute additional malware components on the now-compromised system.<\/p>\n<h2 style=\"text-align: justify\">Network Analysis<\/h2>\n<p style=\"text-align: justify\">From a network security perspective, infection within a controlled virtual environment generated a significant volume of IDS (Intrusion Detection System) alerts with precise signatures identifying the threat typology:<\/p>\n<p style=\"text-align: justify\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2018\/08\/nids.png\" alt=\"\" width=\"608\" height=\"358\" class=\"wp-image-93 size-full aligncenter\" loading=\"lazy\"><\/p>\n<p style=\"text-align: justify\">Alerts were also generated regarding the download of an executable file (.exe) and its download directly from an IP address (dotted-quad).<\/p>\n<p style=\"text-align: justify\">More precise is the anomaly &#8220;ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016,&#8221; which allows us to identify a typical malicious behavior frequently employed in these campaigns: malware download via MACRO.<\/p>\n<p style=\"text-align: justify\">IDS signature details:<\/p>\n<blockquote><p><span>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:&#8221;ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016&#8243;; flow:established,to_server; content:&#8221;GET&#8221;; http_method; content:&#8221;.exe&#8221;; http_uri; nocase; fast_pattern:only; content:&#8221;Accept|3a 20|*\/*|0d 0a|&#8221;; depth:13; http_header; content:&#8221;Accept-Encoding|3a 20|gzip, deflate|0d 0a|&#8221;; http_header; content:&#8221;User-Agent|3a 20|Mozilla\/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT&#8221;; http_header; content:!&#8221;Referer|3a|&#8221;; http_header; content:!&#8221;Cookie|3a|&#8221;; pcre:&#8221;\/(?:\\\/(?:(?:p(?:lugins\\\/content\\\/vote\\\/\\.ssl\\\/[a-z0-9]|a(?:nel\\\/includes\\\/[^\\x2f]+|tric)|o(?:sts?\\\/[a-z0-9]+|ny[a-z]*)|rogcicicic|m\\d{1,2})|s(?:ystem\\\/(?:logs|engine)\\\/[^\\x2f]+?|e(?:rv(?:au|er)|ct)|vchost[^\\x2f]*|gau\\\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\\d+\\.exe$)[a-z0-9]{5,10}|in(?:voice(?:\\\/[^\\x2f]+|[^\\x2f]*)|st\\d+|fos?)|a(?:d(?:min\\\/images\\\/\\w+|obe)|salam|live|us)|m(?:edia\\\/files\\\/\\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\\\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\\\/\\.[^\\x2f]+|\\.css)\\\/.+?|c(?:onfig|hris|alc)|u(?:swinz\\w+|pdate)|xml\\\/load\\\/[^\\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\\\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\\d+)\\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\\d+|Msword)\\.exe)|(?:^\\\/(?:image\\\/.+?\\\/[^\\x2f]+|x\\\/setup)|[\\x2f\\s]order|keem)\\.exe$)\/Ui&#8221;; content:!&#8221;.bloomberg.com|0d 0a|&#8221;; http_header; nocase; content:!&#8221;.bitdefender.com|0d 0a|&#8221;; http_header; classtype:trojan-activity; sid:2022550; rev:15; metadata:affected_product MS_Office, attack_target Client_Endpoint, deployment Perimeter, tag&nbsp;<\/span><span class=\"twikiNewLink\">MalDoc<a href=\"http:\/\/doc.emergingthreats.net\/bin\/edit\/Main\/MalDoc?topicparent=Main.2022550\" rel=\"nofollow\" title=\"Create this topic\">?<\/a><\/span><span>, signature_severity Major, created_at 2016_02_18, malware_family&nbsp;<\/span><span class=\"twikiNewLink\">MalDocGeneric<a href=\"http:\/\/doc.emergingthreats.net\/bin\/edit\/Main\/MalDocGeneric?topicparent=Main.2022550\" rel=\"nofollow\" title=\"Create this topic\">?<\/a><\/span><span>, performance_impact Low, updated_at 2016_07_01;)<\/span><\/p><\/blockquote>\n<p style=\"text-align: justify\">The details just presented are those an analyst considers during the initial analysis phases, obtaining important information regarding the infection process and what is occurring.<\/p>\n<p style=\"text-align: justify\">Going into greater detail, it is possible to extract information regarding threat typology and extract IOCs (Indicators of Compromise) for extended searching within systems and infrastructures. Through <a href=\"https:\/\/fortgale.com\/en\/cyber-threat-intelligence\/\">Cyber Threat Intelligence<\/a> capabilities, these indicators are shared within the MISP Community of the <a href=\"https:\/\/ethicalsec.org\/community\/\">EthicalSec<\/a> association.<\/p>\n<p style=\"text-align: justify\">During analysis, 2 distinct servers belonging to the attacker&#8217;s infrastructure were identified:<\/p>\n<ul style=\"text-align: justify\">\n<li><span>209[.]141[.]59[.]124<\/span>\n<ul>\n<li>Malware Delivery Server (from which the executable file &#8220;1.exe&#8221; is downloaded)<\/li>\n<li>Server: USA<\/li>\n<\/ul>\n<\/li>\n<li>securityupdateserver4[.]com\/\/47[.]254[.]203[.]38\n<ul>\n<li>C&amp;C Server (for control and management of infected systems)<\/li>\n<li>Domain Name: WhoisGuard Protected Panama<\/li>\n<li>Server: Malaysia<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2 style=\"text-align: justify\">Command &amp; Control<\/h2>\n<p style=\"text-align: justify\">By isolating communications with the command and control server, it is possible to identify the threat type:<\/p>\n<p style=\"text-align: justify\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2018\/08\/URI.png\" alt=\"\" width=\"974\" height=\"130\" class=\"aligncenter wp-image-98 size-full\" loading=\"lazy\"><\/p>\n<p style=\"text-align: justify\">During the first 2 requests, the malware downloads malware components (GET requests).<\/p>\n<p style=\"text-align: justify\">The 8 POST requests to the &#8220;tasks.php&#8221; page represent the exchange of instructions between server and infected workstation.<\/p>\n<p style=\"text-align: justify\">The content of the communication is of particular relevance for identifying the malware typology. In this case, the request made by the &#8220;victim&#8221; and the server&#8217;s &#8220;404 Not Found&#8221; response can be observed.<\/p>\n<p style=\"text-align: justify\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2018\/08\/Screenshot-from-2018-08-29-16-38-57-1024x576.png\" alt=\"\" width=\"750\" height=\"422\" class=\"aligncenter wp-image-99 size-large\" loading=\"lazy\"><\/p>\n<p style=\"text-align: justify\">Within the request is the text &#8220;ZW50ZXI=&#8221; which is &#8220;enter&#8221; (Base64).<\/p>\n<p style=\"text-align: justify\">The response, an apparent 404 error, instead contains the instructions: &#8220;Yir\/iIr0Rw==&#8221;. The malware has established communication with the attacker&#8217;s server.<\/p>\n<p style=\"text-align: justify\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2018\/08\/commands-1024x575.png\" alt=\"\" width=\"750\" height=\"421\" class=\"aligncenter wp-image-101 size-large\" loading=\"lazy\"><\/p>\n<p style=\"text-align: justify\">This information allows us to link the infection to the Neutrino Malware. An InfoStealer targeting the acquisition of information related to banking data (including from POS terminals). <a href=\"https:\/\/securelist.com\/neutrino-modification-for-pos-terminals\/78839\/\">Kaspersky Analysis<\/a><\/p>\n<p style=\"text-align: justify\">Macro-based delivery mechanisms combined with obfuscated command protocols remain effective vectors for establishing persistent infrastructure access, particularly when coupled with legitimate-appearing network infrastructure and Base64-encoded command channels that evade signature-based detection.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Neutrino exploit-kit campaign: redirect chains, vulnerable plugins exploited, payload delivery and indicators observed during detection on Italian infrastructures.<\/p>\n","protected":false},"author":1,"featured_media":93,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[48,3156,103,3155,3154,212,244,319],"class_list":["post-90","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-banker","tag-campaign-tracking","tag-cybersecurity","tag-drive-by-download","tag-exploit-kit","tag-malware","tag-neutrino","tag-sicurezza-gestita"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/90","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=90"}],"version-history":[{"count":2,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/90\/revisions"}],"predecessor-version":[{"id":9854,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/90\/revisions\/9854"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=90"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=90"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=90"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}