Exploit:JS/Neosplit.A is a multi-component malware that performs drive-by-download attacks. Exploit:JS/Neosplit is an exploit kit that allows the attacker to install any other malware on the affected computer.
Installation
When a user visits a webpage containing Exploit:JS/Neosplit.A, the user's browser is redirected to another page containing the exploit pack's main script. The browser may be redirected to any of the following:
- hrajgy.cjb.net/<removed>/?2
- imtrunormo.xana.fr/<removed>/?1
- perimary.in/<removed>/?3
- pracwindcil.dlinkddns.com/<removed>/?2
- scatterrider.org/<removed>/?5
Payload
Executes other malware
The webpage that Exploit:JS/Neosplit.A redirects the browser to a page that contains encrypted JavaScript which embeds malicious Java applets. The applets exploit the following vulnerabilities:
These vulnerabilities allow the download and execution of arbitrary files.
Exploit:JS/Neosplit.A embeds a malicious PDF file into webpages if the victim's browser has the Adobe PDF ActiveX enabled. The PDF file automatically exploits vulnerabilities discussed in the following links:
Exploit:JS/Neosplit.A also embeds a malicious SWF file into webpages if the victim's browser has the Adobe ShockWave Flash plugin enabled. The malicious SWF file exploits the vulnerability discussed in CVE-2011-0611.
If Exploit:JS/Neosplit.A successfully exploits any of these vulnerabilities, it may download other malware. In the wild, Exploit:JS/Neosplit.A has been known to downoad variants of Win32/Sinowal.
Analysis by Sergey Chernyshev and Daniel Chipiristeanu
