New C2 – Neutrino Exploit Kit via pseudoDarkleech HOPTO.ORG gate delivers CrypMic Ransomware
- Today I captured traffic from the latest version of CrypMic ransomware. The ransomware was delivered via the pseudoDarkleech campaign.
- The pseudoDarkleech campaign used the “hopto.org” gate to redirect to the Neutrino Exploit Kit (EK) landing page.
- CrypMic is using a new Command and Control server and continues to send its ransom notes over SSL port 443 in clear text.
I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
PCAP file of the infection traffic:
ASSOCIATED DOMAINS AND IP ADDRESSES:
- 18.104.22.168 – jkgbpsh.hopto.org – Redirect GATE
- 22.214.171.124 – saveoldclinicas.propertymanager.eu.com – Netrino EK
- 126.96.36.199 – Port 443 Clear text – C2 Check-In – POST INFECTION TRAFFIC
Germany, AS24961 myLoc managed IT AG,
ASSOCIATED DOMAINS FOR RANSOM PAYMENT:
IMAGES AND DETAILS OF INFECTION CHAIN:
Shown above: Hybrid-analysis.net shows post infection communication with C2
MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT: