Neutrino Exploit Kit via EITEST sends Hancitor and Downloads Unidentified Malware


NOTES:
Below is traffic I captured today associated with the Neutrino Exploit Kit and the EITEST campaign. The traffic pattern appears to be associated with the Hancitor downloader. I was unable to identify the payload which was sent. Below are links to the malicious payloads.

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-07-11-Neutrino-EK-pcap.zip

REFERENCE:
Proofpoint.com Hancitor and Ruckguv Reappear, Updated and With Vawtrak On Deck

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 85.93.0.43 – hsiolex.tk – EITEST GATE
  • 185.141.25.235 – mirfn.vp2izfj.top – Neutrino EK LANDING PAGE
  • 46.4.173.214 – forwitmeand.com POST /sl/gate.php – Hancitor COMMAND AND CONTROL CHECK-IN
  • 54.235.131.19 – api.ipify.org – IP ADDRESS LOOKUP
  • 51.255.20.177 – setgroups.ir GET /43.exe – POST INFECTION DOWNLOAD
  • 89.253.228.18 – HOST NOT AVAILABLE
  • 46.30.42.221 – HOST NOT AVAILABLE

 

IMAGES AND DETAILS:

Shown above: HTTP traffic  associated with Neutrino exploit and Hancitor infection

 

Shown above: Injected script found on compromised site redirecting to EITEST gate

 

Shown above: Script on EITEST gate redirecting to Neutrino Exploit Kit landing page

 

Shown above: Traffic associated with Hancitor Command and Control check-in

 

Shown above: Post infection IP address look-up

 

Shown above: Partial contents of malicious payload downloaded from setgroups.ir

 

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT: