Neutrino Exploit Kit via Redirect Gate delivers CryptXXX Ransomware
The new redirect gate IP address is also registered to the same provider as the command and control (C2) that has been used in the CryptXXX campaign.
Germany, AS8972 PlusServer AG.
The traffic to the command and control server (C2) also appears to have changed.
The encrypted files continue to use .crypz extensions.
I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
PCAP file of the infection traffic:
ASSOCIATED DOMAINS AND IP ADDRESSES:
- 18.104.22.168 – http://realstatistics.info//js/analytic.php?id=4&tz=-5&rs=1024×768 – Redirect GATE
- 22.214.171.124 – magnesia.alliedtherapys.co.uk – Neutrino EK LANDING PAGE
- 126.96.36.199 – PORT 443 – C2 Check-In – POST INFECTION TRAFFIC
IMAGES and DETAILS:
MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT: