Neutrino Exploit Kit via pseudoDarkleech HOPTO.ORG gate delivers CrypMic Ransomware

August 16, 2016 Analysis
0 Comment
Neutrino Exploit Kit, Pcap File, pseudoDarkleech, Ransomware

NOTES:

  • Today I captured traffic from the latest version of CrypMic ransomware. The ransomware was delivered via the pseudoDarkleech campaign.
  • The pseudoDarkleech campaign used the “hopto.org” gate to redirect to the Neutrino Exploit Kit (EK) landing page.
  • CrypMic is using a new Command and Control server and continues to send its ransom notes over SSL port 443 in clear text.
  • During capture the pcap file became segmented. I extracted Neutrino’s flash exploit using NetworkMiner. I included the flash file in the below zip file.

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-08-16-Neutrino-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 83.217.27.178 – vtqckhl.hopto.org GET /wordpress/?ARX8 – Redirect GATE
  • 74.208.103.8 – cixiidae.recipmedia.co.uk – Netrino EK LANDING PAGE
  • 85.14.243.9 – Port 443 Clear text – C2 Check-In – POST INFECTION TRAFFIC

ASSOCIATED DOMAINS FOR RANSOM PAYMENT:

http://ccjlwb22w6c22p2k.onion.to
http://ccjlwb22w6c22p2k.onion.city

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Traffic  associated with the Neutrino exploit and CrypMic ransomware infection.

 

Shown above: Injected script found on compromised site redirecting to “hopto.org” gate

 

Shown above: Extracted hopto.org html file using Wireshark File => Export Objects => HTTP and saving the file as a .htm

 

Shown above: Extracted .htm file from hopto.org opened in a text editor shows an iframe redirecting to the Neutrino Exploit Kit landing page.

 

Shown above: Using Wireshark’s filter “Follow TCP Stream” on packet 231 shows Neutrino exploiting flash

 

Shown above: Packet 365 shows partial content of Neutrino sending it malicious payload encrypted/obfuscated

 

Shown above: Windows desktop post CrypMIC ransomware infection

 

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT:

 

 

 

 

 

Pcap File
EITEST