Neutrino Exploit Kit via pseudoDarkleech delivers CryptXXX Ransomware
NOTES:
- Today I captured traffic from the latest version of CryptXXX ransomware. The ransomware was delivered via the pseudoDarkleech campaign.
- More information about the latest pseudoDarkleech campaign can be found in a post on SANS Internet Storm Center forum Change in patterns for the pseudoDarkleech campaign.
I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com
PCAP file of the infection traffic:
2016-07-25-Neutrino-EK-pcap.zip
ASSOCIATED DOMAINS AND IP ADDRESSES:
173.45.70.70 – serafino-monocarbonate.givingtuesday.org.uk – Neutrino EK
188.0.236.9 Port 443 – CryptXXX CnC Check-in
ASSOCIATED DOMAINS FOR RANSOM PAYMENT:
http://lkpe6tr2yuk4f246.onion.to
http://lkpe6tr2yuk4f246.onion.cab
http://lkpe6tr2yuk4f246.onion.city
DETAILS OF INFECTION CHAIN:
Shown above: IP addresses and Domains associated with today’s CryptXXX Ransomware infection
Shown above: Injected script found on index page of compromised site leading to the Neutrino Exploit Kit landing page
Shown above: Using Wireshark filter “Follow Stream” on packet 142 shows Neutrino exploiting flash
Shown above: Using Wireshark filter “Follow Stream” on packet 553 shows Neutrino downloading encrypted malicious payload masked as an application/octet-stream
Shown above: Cryptxxx .HTML ransom note and De-Crypt instructions @README.HTML
MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EK:
- 2016-07-25-Neutrino-EK.swf
Virus Total Link - 2016-07-25-rad4A812.tmp.dll
Virus Total Link