After a long hiatus, it appears that Neosploit may have come back to life! While the code has some slight changes, it functions similarly to previously known versions of Neosploit so it’s doesn’t look like a major upgrade. I just can’t tell how widespread this is but I think we can all agree that it did make a pretty big impact awhile ago before Black Hole became a dominant player in the attack toolkit space.
Here’s the website that is hosting the link to the exploit pack:
The website’s source code reveals the malicious redirect script.
When you clean up the code, it looks like this:
Interestingly, the redirect script above employs a similar obfuscation method used by Neosploit. Both scripts contain a common function that decrypts strings sent to it. If you can monitor that function, you can extract the resulting script after it gets decrypted.
The redirect script above calls upon an external script which triggers the infection process. Here are the URL formats:
If you’ve been tracking Neosploit, you’ll notice that the URL formats look familar. Here’s another familiar item, the obfuscation method:
That “run” function you see is the main decryptor which is what previous versions of Neosploit was known to use. There’s slight changes here and there probably meant to get past IDS and AV. The exploits used are similar to previous versions with Java leading the way followed by Acrobat.