Neutrino Exploit Kit via EITEST Gate send CryptXXX Ransomware

ASSOCIATED DOMAINS:

  • 85.93.0.72 – vipbip.ml – EITEST GATE
  • 45.32.182.43 – jwdzsmqc.k1chicken.top – Neutrino EK LANDING PAGE
  • 188.0.236.7 PORT 443 – Check-in C2 – OFFLINE
  • 85.25.194.116 PORT 443 – Check-in C2 – POST INFECT TRAFFIC

 

IMAGES and DETAILS:

Shown above: Compromised site redirecting to EITEST gate which is using the .ml Top Level Domain extension (TLD)

 

Shown above: Using Wireshark filter “Follow Stream” on EITEST gate “vipbip.ml” shows Referer from compromised site and script on EITEST gate redirecting to Neutrino EK landing page

 

Shown above: Using Wireshark filter File => Export Objects => HTTP shows Neutrino exploiting flash in packet 318 and packet 743 shows malicious payload delivered as an “application/stream”

 

Shown above: Cryptxxx .HTML ransom note and De-Crypt instructions

 

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT: