Neutrino Exploit Kit via pseudoDarkleech delivers CryptXXX Ransomware

NOTES:

  • Today I captured traffic from the latest version of CryptXXX ransomware. The ransomware was delivered via the pseudoDarkleech campaign.
  • More information about the latest pseudoDarkleech campaign can be found in a post on SANS Internet Storm Center forum Change in patterns for the pseudoDarkleech campaign.

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-07-25-Neutrino-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

173.45.70.70 – serafino-monocarbonate.givingtuesday.org.uk – Neutrino EK
188.0.236.9 Port 443 – CryptXXX CnC Check-in

 

ASSOCIATED DOMAINS FOR RANSOM PAYMENT:

http://lkpe6tr2yuk4f246.onion.to
http://lkpe6tr2yuk4f246.onion.cab
http://lkpe6tr2yuk4f246.onion.city

 

DETAILS OF INFECTION CHAIN:

Shown above: IP addresses and Domains associated with today’s CryptXXX Ransomware infection

 

Shown above: Injected script found on index page of compromised site leading to the Neutrino Exploit Kit landing page

 

Shown above: Using Wireshark filter “Follow Stream” on packet 142 shows Neutrino exploiting flash

 

Shown above: Using Wireshark filter “Follow Stream” on packet 553 shows Neutrino downloading encrypted malicious payload masked as an application/octet-stream

 

Shown above: Cryptxxx .HTML ransom note and De-Crypt instructions @README.HTML

 

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EK: