EITest Gate at 85.93.0.12 Leads to Neutrino EK at 107.6.177.5 Which Delivers CryptMIC

IOCs:

85.93.0.12 – hesamut.top – EITest gate IP and domain
107.6.177.5 – kierrell.bartonjuniorschool.com – Neutrino EK
85.14.243.9 – CryptMIC ransomware post-infection callback

Decryption Domains:
hxxp://7aggi2bq4bms4dfo.onion.to
hxxp://7aggi2bq4bms4dfo.onion.city

Ransom Notes:
README.html
README.txt
README.bmp

File Hashes:
EITest Gate Flash Redirect: 93838c299f7dfd0365023dc51d92b27395dca449b8a8bc6e7ad10fc6abc39ebc
Neutrino EK Flash Exploit: 80f8636298193c9965b9e9d3f7759207ebaf3cd1b4c7c3f4d6a2462026ebce25

I’ve written about EITest gate for the last couple of months and there really hasn’t been that many notable changes. Below is a sample that I collected from my lab after visiting a compromised site containing the injected EITest script:

Here we can the injected script containing the EITest gate URL. Not a surprise to any security professionals to see the .top TLD being used here. Just take a look at all this history of garbage:

Again, the .top gTLD (introduced November 18, 2014) is one of the more dirty gTLDs with more than half of its domains being categorized as bad:

Looking at my SIEM I see that ET managed to correctly identify the malicious traffic. Notice how ET categorized the .top gTLD as a “Firesale”. I’m guessing this is because the .top gTLD are very cheap and thus very attractive for the bad guys.

As usual with the EITest gate we see the GET request for the SWF redirect:

 

VirusTotal is categorizing this SWF file as a flash exploit, however, with a rather low detection ratio of 1/52 (as of 8/10/16).

 The Flash redirect then makes a GET for the EITest gate URL. Notice how the GET request is supposedly for a .png called “hlb.png”. In actuality it returns an HTML file (HTML/Neutrino.b) 507 bytes in size containing JavaScript designed to redirect to the host to the Neutrino Exploit Kit landing page:

Below is the GET request for the Neutrino Exploit Kit landing page followed by the GET request for the Neutrino SWF exploit:

Again, we see another GET request but as always it returns a “malformed packet”:

The Neutrino EK SWF file is designed to fingerprint the system and then if it’s vulnerable the same SWF is used to exploit the system. Lastly we see a GET for the payload however it is encrypted or obfuscated:

HTTP objects pulled from the PCAP:

After the payload is dropped we can start to see the initial three-way handshake with the CryptMIC C2 via TCP port 443. Notice again how the ransom note is being sent over in clear text:

I recommend blocking both the EITest gate IP and Neutrino EK IP at your firewall(s).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: