Neutrino EK via pseudoDarkleech from 137.74.223.62 delivers CrypMic Ransomware

#NeverForget – To my friends, colleagues and all souls lost on the morning of September 11th, 2001, I will never forget you. – BroadAnalysis

NOTES:

  • Today I captured traffic from the latest version of CrypMic ransomware. The ransomware was delivered via the pseudoDarkleech campaign with use of the Neutrino Exploit Kit.
  • The injection method was an Iframe, as mentioned in a post on SANS Internet Storm Center forum Change in patterns for the pseudoDarkleech campaign.
  • The pseudoDarkleech campaign is making use of DNS Shadowing as explained in a sucuri.net blog post Website Malware – Evolution of Pseudo Darkleech. 
  • CrypMic continues to send its ransom notes over SSL port 443 in clear text.
  • CrypMic is no longer using vssadmin.exe to delete the Windows shadow copy.

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-09-11-Neutrino-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 137.74.223.62 – free.diendancacanh.net – Neutrino EK LANDING PAGE
  • 46.165.246.9 – Port 443 – Clear Text – CnC Check-In POST INFECTION TRAFFIC

ASSOCIATED DOMAINS FOR RANSOM PAYMENT:

http://ccjlwb22w6c22p2k.onion.to
http://ccjlwb22w6c22p2k.onion.city

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Neutrino exploit and CrypMic ransomware infection.

 

Shown above: Injected script found on index page of compromised site which redirects visitor to the Neutrino EK landing page to start infection chain – Web page source code can be found by right clicking on web page and selecting “View source”

 

Shown above: Packet 139 shows Neutrino exploiting Flash version 19,0,0,245

 

Shown above: Packet 286 shows partial content of malicious payload delivered as an application/octet-stream in an encrypted/obfuscated format

 

Shown above: Process associated with CrypMic ransomware

 

Shown above: Using the ping command you can see the use of DNS shadowing. If you ping the landing page without the third level domain it returns to the IP address associated with the legitimate website. If you ping the third level domain you can see it returns a different IP address, which redirects to the Neutrino EK landing page.

 

Shown above: README.html ransom note and payment instructions associated with the CrypMic ransomware

 

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT: