Neutrino EK via EITEST sends two variants of Ursnif – A Comparison


NOTES:

  • Over the past two days I have been monitoring a website compromised by the EITEST campaign pushing out what appears to be Ursnif via the Neutrino Exploit Kit. Ursnif is classified as data stealing malware.
  • Below I will show you how the data is stolen and ex-filtrated to the command and control (C2)
  • The traffic pattern has changed since I last saw Ursnif on May 25th 2016, when it was delivered via the Angler Exploit Kit.
  • I also noticed how the traffic pattern and data ex-filtration has changed over the course of the  day. I will show you the comparison of the data ex-filtration over the day.

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-07-21-Neutrino-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES RUN 2:

  • 85.93.0.12 – vredtyh.ml – EITEST GATE
  • 131.72.139.207 – husqob.hb95cyjy.top – Neutrino EK LANDING PAGE
  • 54.243.185.251 – constitution.org GET /usdeclar.txt – Internet Connection Check
  • 31.41.44.219 SSL Port 443 – Command and Control POST INFECTION
  • 198.105.254.228 – absoluteconnected.ru – POST INFECTION
  • 198.105.254.228 – tappropriations.ru – POST INFECTION

ASSOCIATED DOMAINS AND IP ADDRESSES RUN 1:

  • 85.93.0.12 – shkter.xyz – EITEST GATE
  • 131.72.139.203 – kyy1vt.acnp65o2.top – Neutrino EK LANDING PAGE
  • 208.118.235.148 – www.gnu.org GET /licenses/gpl.txt – Internet Connection Check
  • 198.105.254.228 – rudoesnetworkthe.ru GET / – POST INFECTION
  • 198.105.254.228 – thlicensecodelfcharge.ru GET / – POST INFECTION
  • 198.105.254.228 – holydoesthegoverned.ru GET / – POST INFECTION
  • 198.105.254.228 – foundationpropagation.ru GET / – POST INFECTION
  • 198.105.254.228 – changebutresthaveyou.ru POST / – DATA EX-FILTRATION
  • 198.105.254.228 – thlicensecodelfcharge.ru POST /- DATA EX-FILTRATION

On run 1 the data was ex-filtrated over HTTP via .bin files. On run 2 the data was seen being ex-filtrated over SSL encrypted port 443. Above you can see how the run 2 infection unsuccessfully tried to ex-filtrate stolen data to IP address 198.105.254.228 as was done on run 1.

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Traffic  associated with the Neutrino exploit and Ursnif infection run 2

 

Shown above: Traffic  associated with the Neutrino exploit and Ursnif infection from run 1

 

Shown above: Injected script found on compromised site associated with the EITEST campaign which redirects to the EITEST gate from run 2

 

Shown above: Script found on EITEST gate redirecting to the Neutrino Exploit Kit landing page from run 2

 

Shown above: Internet connection check used on run 2

 

Shown above: Internet connection check used on run 1

 

Shown above: On May 25th 2016 you could see how Ursnif used nasa.gov to complete its internet check

 

Shown above: On run 1 you can see how data was ex-filtrated from the compromised host over HTTP posting a .bin file containing stolen data to the command and control

 

Shown above: You can see the comparison how Ursnif ex-filtrated the data on May 25th 2016 and the first run on July 21st 2016

 

Shown above: Later in the day on run 2 you could see how Ursnif attempted to connect to IP 198.105.254.228 but was unsuccessful. Ursnif then ex-filtrated its data via IP 31.41.44.219 over SSL port 443

 

Shown above: Begin of post infection SSL data ex-filtration from run 2

 

POST INFECTION ARTIFACTS AND DATA EX-FILTRATION:

Shown above: After the host is infected Ursnif creates .bin files where it stores stolen credentials and other information

 

Shown above: After opening the .bin file with a text editor you could see the first 2 bytes contain the letters “PK”. PK is used in file headers associated with .ZIP files.

 

Shown above: After renaming the file extension on 5AE8.bin to to .zip I was able to extract the above listed files.

 

Shown above: After visiting bing.com and attempting to login with fictitious information, I returned to the .bin file to examine the files.

 

Shown above: After returning to the .bin file and again following the above process, with a text editor, I opened one of the files contained inside the .bin. As seen above Ursnif was able to capture the fictitious information used to login to bing.com

 

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT: