Neutrino Exploit Kit via Redirect Gate delivers CryptXXX Ransomware

NOTES:
Today I saw a simple injected javascript, found on a compromised site, used to redirect to a Neutrino Exploit Kit gate and then on to its landing page. This is the first time I have seen this type of redirect used to send CryptXXX ransomware. Two well known campaigns distributing CryptXXX are EITEST and pseudo-DARKLEECH. This infection chain does not appear to fit the profile of either of these campaigns or actors.

The new redirect gate IP address is also registered to the same provider as the command and control (C2) that has been used in the CryptXXX campaign.
Germany, AS8972 PlusServer AG.

The traffic to the command and control server (C2) also appears to have changed.

The encrypted files continue to use .crypz extensions.

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-06-19-neutrino-ek.pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 85.25.95.39 – http://realstatistics.info//js/analytic.php?id=4&tz=-5&rs=1024×768 – Redirect GATE
  • 217.12.201.248 – magnesia.alliedtherapys.co.uk – Neutrino EK LANDING PAGE
  • 85.25.194.116 – PORT 443 – C2 Check-In – POST INFECTION TRAFFIC

 

IMAGES and DETAILS:

Shown above: Compromised site redirecting to gate and Neutrino EK landing page

 

Shown above: Injected javascript found on compromised site redirecting to Neutrino EK gate

 

Shown above: document.write redirect found on gate redirecting to Neutrino landing page

 

Shown above: Partial packet content of Neutrino Exploiting flash 1430d

 

Shown above: Post infection traffic communicating with CryptXXX command and control

 

2016-06-19-renasom-htmlShown above: Cryptxxx .HTML ransom note and De-Crypt instructions

 

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT: