A new global malvertising campaign recently detected by security experts involves hackers using the Neptune exploit kit to drop cryptocurrency miners. Despite a recent substantial drop in activities since the infamous Angler exploit kit was shut down in 2016, hackers are still using exploit kits in new campaigns.
The Neptune exploit kit, aka the Terror exploit kit, was used in the new malvertising campaign to drop Monero miners and involved hackers abusing legitimate pop-up ad services "within Alexa's top 100" to redirect victims to malicious sites. Researchers at FireEye said the new campaign, which was discovered in July this year, targeted Europe, the US, South Korea, Singapore, Thailand, Japan, South America and Canada.
"Despite an observable decline in exploit kit activity, users are still at risk, especially if they have outdated or unpatched software. This threat is especially dangerous considering drive-by exploit kits (such as Neptune EK) can use malvertisements to seamlessly download payloads without ever alerting of the user," the FireEye researchers said in a blog.
The malvertising campaign redirects users to fake sites mimicking the domains of legitimate websites, including hiking sites and other sites that allow users to convert YouTube videos to MP3. Once redirected, the campaign then drops a Monero miner. Experts suggest that spreading cryptocurrency miners can help hackers rake in small amounts of money, which can then be used to fund other attacks.
Neptune was one among several exploit kits that popped up after Angler was taken down. In May, researchers at Cisco Talos said Neptune had been updated to include security evasion features. The FireEye researchers also pointed out that some of the vulnerabilities used by Neptune have already been patched. For instance, Microsoft fixed CVE-2014-6332, one of the vulnerabilities used by Neptune, in November 2014. However, those still using systems running outdated and unpatched software could be vulnerable to such attacks.