Neutrino Exploit Kit via pseudoDarkleech HOPTO.ORG gate delivers CrypMic Ransomware
- Today I captured traffic from the latest version of CrypMic ransomware. The ransomware was delivered via the pseudoDarkleech campaign.
- The pseudoDarkleech campaign used the “hopto.org” gate to redirect to the Neutrino Exploit Kit (EK) landing page.
- CrypMic is using a new Command and Control server and continues to send its ransom notes over SSL port 443 in clear text.
- During capture the pcap file became segmented. I extracted Neutrino’s flash exploit using NetworkMiner. I included the flash file in the below zip file.
I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
PCAP file of the infection traffic:
ASSOCIATED DOMAINS AND IP ADDRESSES:
- 220.127.116.11 – vtqckhl.hopto.org GET /wordpress/?ARX8 – Redirect GATE
- 18.104.22.168 – cixiidae.recipmedia.co.uk – Netrino EK LANDING PAGE
- 22.214.171.124 – Port 443 Clear text – C2 Check-In – POST INFECTION TRAFFIC
ASSOCIATED DOMAINS FOR RANSOM PAYMENT:
IMAGES AND DETAILS OF INFECTION CHAIN:
MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT: