Criminals switch from Angler exploit kit to Neutrino

Security researcher Kafeine of the “Malware Don’t Need Coffee” blog finds that infections from the Angler exploit kit last occurred a week ago. The Neutrino kit, on the other hand, has gained popularity.

For example, Kafeine writes that the SadClowns group now uses Neutrino instead of Angler. Other researchers are also seeing a migration of large Angler users to that exploit kit, Softpedia reports. Besides Neutrino, RIG and Sundown are also alternatives for those users. The Neutrino kit mainly infects victims with ransomware, mainly the TeslaCrypt replacement CryptXXX or Cerber.

Kafeine indicates that there have been periods in which the activity of exploit kits declined, for example when the groups behind them go on holiday or when there is a move of infrastructure. However, it appears that this is not happening now and that there is another reason behind the discontinued activity. The researcher indicates that there is a possible connection with the recent arrest of fifty hackers in Russia.

As a result of the disappearance of Angler, Neutrino has increased its prices, for example, the price has doubled to 1500 dollars per week, converted 1330 euros. The same behavior was seen after the arrest of the author of the BlackHole exploit kit in 2013.

Exploit kits use vulnerabilities to infect victims, for example in software such as Flash and Silverlight. Today, in the vast majority of cases, the payload for such infections is ransomware. The latest development around Angler was spotted by security firm FireEye last week when it found it was able to bypass Windows security EMET on Windows 7 systems. Angler is considered the largest and most advanced exploit kit.