Neutrino Exploit Kit via EITEST delivers CrypMic Ransomware


NOTES:

  • On July 26th, 2016 I posted how CryptXXX ransomware had returned to the use of sending ransom notes in clear text and html over SSL port 443, as was first reported in a SANS Internet Storm Center forum post CryptXXX ransomware updated.
  • After @bemitc pointed out this variant of CryptXXX may actually be CrypMic ransomware, as reported by Trend Micro on July 20th, 2016 in a post CrypMIC Ransomware Wants to Follow CryptXXX’s Footsteps, I began to research the comparisons.
  • Trend Micro, in its comparison chart, mentions how CrypMic makes use of the  README.TXT, README.HTML, README.BMP and does not use the lockscreen displaying the ransom note as so commonly seen with CryptXXX.
  • Trend Micro, also in its comparison chart mentions how CrypMic makes use of the deletion of Windows Volume Shadow Copy with vssadmin. This variant of ransomware is deleting the Volume Shadow Copy. The past versions of CryptXXX which I collected, had not been making use of the vssadmin to delete Windows Shadow Volume copy. See image below from hybrid-analysis.com.
  • Proofpoint in a recent July post Spam, Now With a Side of CryptXXX Ransomware! stated “We believe that CryptXXX is in active development and possibly split off into two branches. The original branch is now up to version 5.001 (we wrote about the upgrade to version 3.100 near the end of May), while the new branch uses a different format for versioning and will require further analysis.”
  • So, for now it appears to me that CrypMic, a new “ransomware family” classified by Trend Micro (Not an upgraded version of CryptXXX) is being deliver via the Neutrino Exploit Kit.

 

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-07-28-Neutrino-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 85.93.0.12 – ytirihy.xyz – EITEST GATE
  • 5.39.32.181 – colit-zerknitterteste.st-marg-hospice-extranet.org – Neutrino EK
  • 193.111.140.100 Port 443 – C2 Check-In – POST INFECTION TRAFFIC

ASSOCIATED DOMAINS FOR RANSOM PAYMENT:

  • http://7aggi2bq4bms4dfo.onion.to
  • http://7aggi2bq4bms4dfo.onion.city

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Traffic  associated with the Neutrino exploit and CrypMic ransomware infection

 

Shown above: Injected script found on index page of compromised site which redirects visitor to the EITEST gate to start infection chain

 

Shown above: Script on EITEST gate 85.93.0.12  redirecting to the Neutrino EK landing page

 

Shown above: Partial content of packet 216 shows Neutrino exploiting flash

 

Shown above: Partial content of packet 444 shows Neutrino Exploit Kit sending an encrypted malicious payload as an application/octet-stream

 

Shown above: De-Crypt instructions sent over port 443 in clear text

 

Shown above: Initial .dll file associated with CrypMic ransomware infection and post infection artifacts

 

Shown above: Start of CrypMic .HTML ransom note and De-Crypt instructions README.HTML

 

Shown above: Continuation of CrypMic .HTML ransom note and De-Crypt instructions README.HTML

 

Shown above: CrypMic .BMP ransom note and De-Crypt instructions README.BMP

 

Shown above: CrypMic .TXT ransom note and De-Crypt instructions README.txt

 

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT: