Neutrino Exploit Kit via EITEST delivers CrypMic Ransomware
- On July 26th, 2016 I posted how CryptXXX ransomware had returned to the use of sending ransom notes in clear text and html over SSL port 443, as was first reported in a SANS Internet Storm Center forum post CryptXXX ransomware updated.
- After @bemitc pointed out this variant of CryptXXX may actually be CrypMic ransomware, as reported by Trend Micro on July 20th, 2016 in a post CrypMIC Ransomware Wants to Follow CryptXXX’s Footsteps, I began to research the comparisons.
- Trend Micro, in its comparison chart, mentions how CrypMic makes use of the README.TXT, README.HTML, README.BMP and does not use the lockscreen displaying the ransom note as so commonly seen with CryptXXX.
- Trend Micro, also in its comparison chart mentions how CrypMic makes use of the deletion of Windows Volume Shadow Copy with vssadmin. This variant of ransomware is deleting the Volume Shadow Copy. The past versions of CryptXXX which I collected, had not been making use of the vssadmin to delete Windows Shadow Volume copy. See image below from hybrid-analysis.com.
- Proofpoint in a recent July post Spam, Now With a Side of CryptXXX Ransomware! stated “We believe that CryptXXX is in active development and possibly split off into two branches. The original branch is now up to version 5.001 (we wrote about the upgrade to version 3.100 near the end of May), while the new branch uses a different format for versioning and will require further analysis.”
- So, for now it appears to me that CrypMic, a new “ransomware family” classified by Trend Micro (Not an upgraded version of CryptXXX) is being deliver via the Neutrino Exploit Kit.
I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
PCAP file of the infection traffic:
ASSOCIATED DOMAINS AND IP ADDRESSES:
- 126.96.36.199 – ytirihy.xyz – EITEST GATE
- 188.8.131.52 – colit-zerknitterteste.st-marg-hospice-extranet.org – Neutrino EK
- 184.108.40.206 Port 443 – C2 Check-In – POST INFECTION TRAFFIC
ASSOCIATED DOMAINS FOR RANSOM PAYMENT:
IMAGES AND DETAILS OF INFECTION CHAIN:
MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT: