Neutrino Exploit Kit via pseudoDarkleech delivers CryptXXX Ransomware – NEW C2

UPDATE:

On my twitter account, @bemitc pointed out this variant of CryptXXX may actually be crypmic ransomware, as reported by Trend Micro on July 20th, 2016 in a post CrypMIC Ransomware Wants to Follow CryptXXX’s Footsteps. I also uploaded the malicious payload to Hybrid-Analysis.com should you wish to review further.

NOTES:

  • Today I captured traffic from the latest version of CryptXXX ransomware. The ransomware was delivered via the pseudoDarkleech campaign.
  • The injection method was an Iframe, as mention in a post on SANS Internet Storm Center forum Change in patterns for the pseudoDarkleech campaign.
  • I also noted CryptXXX is back to sending its ransom notes in clear text as mentioned in a SANS Internet Storm Center forum post CryptXXX ransomware updated – by Brad Duncan at malware-traffic-analysis.net
  • Also note worthy is the command and control switch. The command and control is now hosted on Germany, AS24961 myLoc managed IT AG.
  • CryptXXX has again added a README.txt file along with the usual .bmp and .html to its ransom notes.

I have added a zipped pcap file for your analysis. I did not include all post infection traffic to command and control to protect my decryption key. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-07-26-Neutrino-EK-pcap.zip

ASSOCIATED DOMAINS AND IP ADDRESSES:

173.45.70.67 – ssucheng.homes4dogs.co.uk – Neutrino EK
193.111.140.100 – PORT 443 – C2 Check-In – POST INFECTION TRAFFIC

ASSOCIATED DOMAINS FOR RANSOM PAYMENT:

http://ccjlwb22w6c22p2k.onion.to
http://ccjlwb22w6c22p2k.onion.city

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Traffic  associated with Neutrino exploit and CryptXXX ransomware infection

 

Shown above: Injected script found on compromised site redirecting to Neutrino Exploit Kit landing page

 

Shown above: CryptXXX post infection traffic over port 443 in clear text shows ransom note delivered over clear text.

 

Shown above: Start of Cryptxxx .HTML ransom note and De-Crypt instructions README.HTML

 

Shown above: Continuation of Cryptxxx .HTML ransom note and De-Crypt instructions README.HTML

 

Shown above: Cryptxxx .BMP ransom note and De-Crypt instructions README.BMP

 

Shown above: Cryptxxx returns to using .txt ransom note in it’s De-Crypt instructions README.txt

 

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT: