Experts published IE Exploit code and crooks added it to Neutrino EK

Operators behind the Neutrino EK have added the code to exploit an Internet Explorer flaw that  was recently patched with the release of the MS16-053.

Operators behind the infamous Neutrino EK have recently added the code to exploit an Internet Explorer vulnerability that was patched with the release of the MS16-053 security bulletin.

The MS16-053 bulletin patched two remote code execution vulnerabilities in the JScript (CVE-2016-0187) and VBScript (CVE-2016-0189) scripting engines

The security vulnerabilities can be exploited through the Internet Explorer web browser, unfortunately, the CVE-2016-0189 had been exploited in targeted attacks against Windows users in South Korea before Microsoft fixed it.

In order to trigger the vulnerability, victims have to visit a compromised website or open a spear-phishing email containing a malicious link.

Experts from startup Theori have made a reverse engineering of the MS16-053 and published a PoC exploit for the CVE-2016-0189 vulnerability.


The PoC code works on Internet Explorer 11 running on Windows 10, a great gift for fraudsters that included it in the Neutrino EK as confirmed by FireEye.

Researchers from FireEye noticed that last version of the Neutrino EK included exploits for a total of five vulnerabilities, three Flash Player flaws (CVE-2016-1019, CVE-2016-4117 and CVE-2015-8651) and two Internet Explorer (CVE-2014-6332 and CVE-2016-0189).

“CVE-2016-0189 was originally exploited as a zero-day vulnerability in targeted attacks in Asia. The vulnerability resides within scripting engines in Microsoft’s Internet Explorer (IE) browser, and is exploited to achieve Remote Code Execution (RCE). According to the researcher’s repository, the open source exploit affects IE on at least Windows 10. It is possible that attackers could use or repurpose the attack for earlier versions of Windows.” states FireEye. “In this example, Neutrino embedded exploits for five patched vulnerabilities: three for Adobe Flash Player (CVE-2016-4117, CVE-2016-1019, CVE-2015-8651) and two for Internet Explorer (CVE-2016-0189, CVE-2014-6332). CVE-2016-0189 is the newest addition to Neutrino’s arsenal.”

The experts compared the code used in the Neutrino EK and the one released by the researchers. Researchers from FireEye speculate that crooks might be able to adapt the exploit for older versions of the operating system as well.

In January, experts from Heimdal Security warned a spike in cyber attacks leveraging the popular Neutrino and RIG exploit kit, the crimeware kits have become the most popular exploit kits after Angler and Nuclear disappeared.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase