pseudoDarkleech Script Leads to Neutrino EK at 92.222.122.52 Which Drops CryptMIC Ransomware

IOCs:

92.222.122.52 – seyhocacm.assistkd.com – Neutrino Exploit Kit
85.14.243.9 – CryptMIC Ransomware C2 via TCP port 443 (clear text)

Payment Sites:
hxxp://ccjlwb22w6c22p2k.onion.to
hxxp://ccjlwb22w6c22p2k.onion.city

Ransom notes:
README.txt
README.bmp
README.html

As Brad Duncan from malware-traffic-analysis.net points out there has been a recent change in patterns for the pseudoDarkleech campaign. It has shifted from large blocks of obfuscated code on the compromised sites to the use of injected iframes as the initial redirection mechanism:

Return HTTP traffic from the compromised site did trigger an ET alert in Squil for an unknown redirector leading to an EK, however, there weren’t any alerts for the EK landing page or the post-infection callback traffic:

Iframe (shown above) causes the initial redirection to the Neutrino EK landing page:

Below we see the GET request for Neutrino EK SWF exploit (VirusTotal Report):

The Flash file also appears to contain code designed to fingerprint the system as well as the actual exploit.

Again, near the end of infection chain, right before the final payload, we see a request for an HTML file and a response containing a malformed packet:

This was followed by a GET request for an encrypted or obfuscated payload:

Below are the HTTP objects pulled from the PCAP:

Initial three-way handshake with the C2 followed by the ransom note being sent in the clear over TCP port 443:

Here is a better look at the request and response:

 

Screenshots of the CryptMIC ransom notes and desktop:

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: