18.104.22.168 – hesamut.top – EITest gate IP and domain
22.214.171.124 – kierrell.bartonjuniorschool.com – Neutrino EK
126.96.36.199 – CryptMIC ransomware post-infection callback
EITest Gate Flash Redirect: 93838c299f7dfd0365023dc51d92b27395dca449b8a8bc6e7ad10fc6abc39ebc
Neutrino EK Flash Exploit: 80f8636298193c9965b9e9d3f7759207ebaf3cd1b4c7c3f4d6a2462026ebce25
I’ve written about EITest gate for the last couple of months and there really hasn’t been that many notable changes. Below is a sample that I collected from my lab after visiting a compromised site containing the injected EITest script:
Here we can the injected script containing the EITest gate URL. Not a surprise to any security professionals to see the .top TLD being used here. Just take a look at all this history of garbage:
Again, the .top gTLD (introduced November 18, 2014) is one of the more dirty gTLDs with more than half of its domains being categorized as bad:
Looking at my SIEM I see that ET managed to correctly identify the malicious traffic. Notice how ET categorized the .top gTLD as a “Firesale”. I’m guessing this is because the .top gTLD are very cheap and thus very attractive for the bad guys.
VirusTotal is categorizing this SWF file as a flash exploit, however, with a rather low detection ratio of 1/52 (as of 8/10/16).
Below is the GET request for the Neutrino Exploit Kit landing page followed by the GET request for the Neutrino SWF exploit:
Again, we see another GET request but as always it returns a “malformed packet”:
The Neutrino EK SWF file is designed to fingerprint the system and then if it’s vulnerable the same SWF is used to exploit the system. Lastly we see a GET for the payload however it is encrypted or obfuscated:
HTTP objects pulled from the PCAP:
After the payload is dropped we can start to see the initial three-way handshake with the CryptMIC C2 via TCP port 443. Notice again how the ransom note is being sent over in clear text:
I recommend blocking both the EITest gate IP and Neutrino EK IP at your firewall(s).