Neutrino Exploit Kit via pseudoDarkleech HOPTO.ORG gate delivers CrypMic Ransomware
NOTES:
- Today I captured traffic from the latest version of CrypMic ransomware. The ransomware was delivered via the pseudoDarkleech campaign.
- The pseudoDarkleech campaign used the “hopto.org” gate to redirect to the Neutrino Exploit Kit (EK) landing page.
- CrypMic is using a new Command and Control server and continues to send its ransom notes over SSL port 443 in clear text.
- During capture the pcap file became segmented. I extracted Neutrino’s flash exploit using NetworkMiner. I included the flash file in the below zip file.
I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com
PCAP file of the infection traffic:
2016-08-16-Neutrino-EK-pcap.zip
ASSOCIATED DOMAINS AND IP ADDRESSES:
- 83.217.27.178 – vtqckhl.hopto.org GET /wordpress/?ARX8 – Redirect GATE
- 74.208.103.8 – cixiidae.recipmedia.co.uk – Netrino EK LANDING PAGE
- 85.14.243.9 – Port 443 Clear text – C2 Check-In – POST INFECTION TRAFFIC
ASSOCIATED DOMAINS FOR RANSOM PAYMENT:
http://ccjlwb22w6c22p2k.onion.to
http://ccjlwb22w6c22p2k.onion.city
IMAGES AND DETAILS OF INFECTION CHAIN:
Shown above: Traffic associated with the Neutrino exploit and CrypMic ransomware infection.
Shown above: Injected script found on compromised site redirecting to “hopto.org” gate
Shown above: Extracted hopto.org html file using Wireshark File => Export Objects => HTTP and saving the file as a .htm
Shown above: Extracted .htm file from hopto.org opened in a text editor shows an iframe redirecting to the Neutrino Exploit Kit landing page.
Shown above: Using Wireshark’s filter “Follow TCP Stream” on packet 231 shows Neutrino exploiting flash
Shown above: Packet 365 shows partial content of Neutrino sending it malicious payload encrypted/obfuscated
Shown above: Windows desktop post CrypMIC ransomware infection
MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT:
- 2016-08-16-Neutrino.EK.swf
Virus Total Link - 2016-08-16-rad339F3.tmp.dll
Virus Total Link