New C2 – Neutrino Exploit Kit via pseudoDarkleech HOPTO.ORG gate delivers CrypMic Ransomware

NOTES:

  • Today I captured traffic from the latest version of CrypMic ransomware. The ransomware was delivered via the pseudoDarkleech campaign.
  • The pseudoDarkleech campaign used the “hopto.org” gate to redirect to the Neutrino Exploit Kit (EK) landing page.
  • CrypMic is using a new Command and Control server and continues to send its ransom notes over SSL port 443 in clear text.

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-08-08-Neutrino-EK-pcap2.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 83.217.27.178 – jkgbpsh.hopto.org – Redirect GATE
  • 51.254.30.225 – saveoldclinicas.propertymanager.eu.com – Netrino EK
  • 85.14.243.9 – Port 443 Clear text – C2 Check-In – POST INFECTION TRAFFIC
    Germany, AS24961 myLoc managed IT AG,

ASSOCIATED DOMAINS FOR RANSOM PAYMENT:

http://ccjlwb22w6c22p2k.onion.to
http://ccjlwb22w6c22p2k.onion.city

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Traffic  associated with the Neutrino exploit and CrypMic ransomware infection. (Note CrypMic using new C2 85.14.243.9)

 

Shown above: Injected script found on compromised site redirecting to “hopto.org” gate

 

Shown above: CrypMic post infection traffic over port 443 in clear text shows partial content of HTML ransom note delivered over clear text.

 

Shown above: Hybrid-analysis.net shows post infection communication with C2

 

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT:

2016-08-08-Neutrino-EK.swf
Virus Total Link
2016-08-08-rad726D0.tmp.dll
Virus Total Link
Hybrid-Analysis Link