Neutrino Exploit Kit via pseudoDarkleech delivers CryptXXX Ransomware – NEW C2
UPDATE:
On my twitter account, @bemitc pointed out this variant of CryptXXX may actually be crypmic ransomware, as reported by Trend Micro on July 20th, 2016 in a post CrypMIC Ransomware Wants to Follow CryptXXX’s Footsteps. I also uploaded the malicious payload to Hybrid-Analysis.com should you wish to review further.
NOTES:
- Today I captured traffic from the latest version of CryptXXX ransomware. The ransomware was delivered via the pseudoDarkleech campaign.
- The injection method was an Iframe, as mention in a post on SANS Internet Storm Center forum Change in patterns for the pseudoDarkleech campaign.
- I also noted CryptXXX is back to sending its ransom notes in clear text as mentioned in a SANS Internet Storm Center forum post CryptXXX ransomware updated – by Brad Duncan at malware-traffic-analysis.net
- Also note worthy is the command and control switch. The command and control is now hosted on Germany, AS24961 myLoc managed IT AG.
- CryptXXX has again added a README.txt file along with the usual .bmp and .html to its ransom notes.
I have added a zipped pcap file for your analysis. I did not include all post infection traffic to command and control to protect my decryption key. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com
PCAP file of the infection traffic:
2016-07-26-Neutrino-EK-pcap.zip
ASSOCIATED DOMAINS AND IP ADDRESSES:
173.45.70.67 – ssucheng.homes4dogs.co.uk – Neutrino EK
193.111.140.100 – PORT 443 – C2 Check-In – POST INFECTION TRAFFIC
ASSOCIATED DOMAINS FOR RANSOM PAYMENT:
http://ccjlwb22w6c22p2k.onion.to
http://ccjlwb22w6c22p2k.onion.city
IMAGES AND DETAILS OF INFECTION CHAIN:
Shown above: Traffic associated with Neutrino exploit and CryptXXX ransomware infection
Shown above: Injected script found on compromised site redirecting to Neutrino Exploit Kit landing page
Shown above: CryptXXX post infection traffic over port 443 in clear text shows ransom note delivered over clear text.
Shown above: Start of Cryptxxx .HTML ransom note and De-Crypt instructions README.HTML
Shown above: Continuation of Cryptxxx .HTML ransom note and De-Crypt instructions README.HTML
Shown above: Cryptxxx .BMP ransom note and De-Crypt instructions README.BMP
Shown above: Cryptxxx returns to using .txt ransom note in it’s De-Crypt instructions README.txt
MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT:
- 2016-07-26-Neutrino-EK.swf
Virus Total Link - 2016-07-26-rad315AB.tmp.dll
Virus Total Link