Neutrino Exploit Kit via pseudoDarkleech delivers CryptXXX Ransomware – NEW C2
On my twitter account, @bemitc pointed out this variant of CryptXXX may actually be crypmic ransomware, as reported by Trend Micro on July 20th, 2016 in a post CrypMIC Ransomware Wants to Follow CryptXXX’s Footsteps. I also uploaded the malicious payload to Hybrid-Analysis.com should you wish to review further.
- Today I captured traffic from the latest version of CryptXXX ransomware. The ransomware was delivered via the pseudoDarkleech campaign.
- The injection method was an Iframe, as mention in a post on SANS Internet Storm Center forum Change in patterns for the pseudoDarkleech campaign.
- I also noted CryptXXX is back to sending its ransom notes in clear text as mentioned in a SANS Internet Storm Center forum post CryptXXX ransomware updated – by Brad Duncan at malware-traffic-analysis.net
- Also note worthy is the command and control switch. The command and control is now hosted on Germany, AS24961 myLoc managed IT AG.
- CryptXXX has again added a README.txt file along with the usual .bmp and .html to its ransom notes.
I have added a zipped pcap file for your analysis. I did not include all post infection traffic to command and control to protect my decryption key. The password is the usual used by malware researchers. If you do not know it please email me.
PCAP file of the infection traffic:
ASSOCIATED DOMAINS AND IP ADDRESSES:
220.127.116.11 – ssucheng.homes4dogs.co.uk – Neutrino EK
18.104.22.168 – PORT 443 – C2 Check-In – POST INFECTION TRAFFIC
ASSOCIATED DOMAINS FOR RANSOM PAYMENT:
IMAGES AND DETAILS OF INFECTION CHAIN:
MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT: