Neutrino Exploit Kit via EITEST delivers CryptXXX Ransomware


NOTES:
I have seen the EITEST campaign using the Neutrino Exploit Kit to send CryptXXX ransomware since June 7th, 2016. A great article on the history of the EITEST campaign can be read at http://researchcenter.paloaltonetworks.com/2016/03/unit42-how-the-eltest-campaigns-path-to-angler-ek-evolved-over-time/

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-06-16-pcap.zip

 

ASSOCIATED DOMAINS:

  • 85.93.0.43 – bexytf.ml – EITEST GATE
  • 185.133.72.122 – jywqrwwea.ogahza.xyz – Neutrino EK LANDING PAGE
  • 188.0.236.7 – C2 Check-In – OFFLINE
  • 85.25.194.116 PORT 443 – C2 Check-In – POST INFECTION TRAFFIC

 

IMAGES and DETAILS:

Shown above: Compromised site and associated EITEST domains leading to CryptXXX ransomware

 

Shown above: Injected script on compromised site redirecting to EITEST gate

 

Shown above: Script on EITEST gate redirecting to Neutrino Exploit Kit landing page

 

Shown above: Partial packet content of Neutrino exploiting flash – 1f6a f6a

 

Shown above: Packet 484 shows malicious payload via application/octet-stream

 

Shown above: Partial contents of malicious payload from packet 484

 

Shown above: Cryptxxx .HTML ransom note and De-Crypt instructions

 

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT: