Neutrino Exploit Kit 78.46.167.130 sends Gootkit

NOTES:
Over the last three days, with this campaign realstatistics.info,  I have only seen the Neutrino Exploit Kit (EK) sending Gootkit. The last time I have seen Neutrino EK sending Gootkit was May 17th 2016 – Neutrino Exploit Kit sends GootKit. The Angler Exploit Kit was also seen sending Gootkit on June 1st,  2016 a few days before it’s disappearance – Angler Exploit Kit from 185.106.122.81 sends Gootkit .

On June 19th, 2016 I first noticed the use of the realstatistics.info redirect gate. This gate has been used to redirect between the Neutrino landing pages and the Rig landing pages. Switching between the two exploit kits numerous times during the day, where Neutrino EK would send Gootkit and Rig EK would send Cerber ransomware.

UPDATED [Correction]: Neutrino Exploit Kit is still very active sending ransomware via the EITEST and pseudo-darkleech  campaign’s.

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-06-29-Neutrino-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 85.25.95.39 – realstatistics.info – Redirect GATE
  • 78.46.167.130 – acptuamm.odwczx.xyz – Neutrino LANDING PAGE
  • 52.67.39.104 – Gootkit POST INFECTION TRAFFIC
  • 93.115.10.203 – Gootkit POST INFECTION TRAFFIC

DNS ACTIVITY:

  • Query – sievavower.com
    Response – 52.67.39.104, 93.115.10.203
  • Query – stogtetch.com
    Response – 52.67.39.104, 93.115.10.203

 

DETAILS OF INFECTION CHAIN:

Shown above: HTTP traffic  associated with Neutrino exploit and Gootkit infection

 

Shown above: DNS post infection traffic associated with Gootkit infection

 

Shown above: Gootkit post infection traffic to IP address 52.67.39.104

 

Shown above: Self Signed SSL Certificate to “My Company Ltd” first noted in Emerging Threats Rules. This process can be repeated with IP address 93.115.10.203.

 

Shown above: Windows Registry entry associated with GootKit

 

Shown above: Windows Registry entry associated with GootKit

 

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT: