Detecting the Neutrino Exploit Kit

Bill Miskimen
Sr. Security Analyst

The Neutrino Exploit Kit has made several changes in technique and delivery over the past few years. These changes in techniques, combined with the demise of hugely popular Angler Exploit Kit, have helped Neutrino become one of the most used Exploit Kits on the market today. The group behind Neutrino appears to be updating its exploitation techniques and payloads on almost a monthly basis, if not every few weeks. In this article, we’ll look into how the Neutrino Exploit Kit works and some good ways to detect it. We’ll review some high-level details around the kit itself and how front-line defenders can rapidly, easily, and accurately identify Neutrino activity in an enterprise environment – all without needing to understand complex underlying details like compressed flash objects, where coffee comes from, and whether or not the Internet truly is housed in a black box at the top of Big Ben. After reading this, analysts should be able to look at an unlabeled packet capture of reasonable size and quickly identify if any Neutrino activity is present, whether it was successful, and provide a walkthrough/timeline of events around the malicious activity in question.

Foreground Security



Leave a Reply