Neutrino Exploit Kit From 45.63.41.234 sends CryptXXX Ransomware via EITEST

ASSOCIATED DOMAINS:

  • 85.93.0.43 – upspost.tk – EITEST GATE
  • 45.63.41.234 – yxylyzwam.ohquaita.xyz – Neutrino EK LANDING PAGE
    AS20473 Choopa, LLC, Seattle, WA
  • 188.0.236.7 – C2 Check-In – OFFLINE
  • 85.25.194.116 PORT 443 – C2 Check-In – POST INFECT TRAFFIC

 

IMAGES and DETAILS:

Shown above: EITEST Gate using the .tk Top Level Domain (TLD) and Neutrino Exploit Kit landing page using the .xyz (TLD)

 

Shown above: Redirect script on EITEST gate redirecting to Neutrino EK landing page

 

Shown above: Packet 169 shows Neutrino EK exploiting flash and packet 610 shows malicious payload delivered via “application/octet-stream”

 

Shown above: Packet 610 shows partial contents of encrypted malicious payload

 

Shown above: Cryptxxx .HTML ransom note and De-Crypt instructions with graphic changes

 

Shown above: Tweet from June 10th showing 0/56 Anti-Virus detection ratio

NOTE: Infected computers files were encrypted using the .crypz file extension.

 

Shown above: Continue to see low Anti-Virus Detection ratio for CryptXXX

 

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT: