Afraidgate Leads to Neutrino EK at 176.31.223.167 Which Drops Locky Ransomware

IOCs:

  • red.kamyuenenterprise.hk – JS Redirect – 138.197.128.173
  • vsjgvbaz.anythingwork.top – Neutrino EK – 176.31.223.167
  • 194.67.210.183 POST /php/upload.php – Locky post-infection callback traffic

Hashes:

  1. JS file: 049add46d0a527b50a605573c98330ceabaf533559f06e6fc4795cf6ca326bc1
  2. Neutrino EK landing Page: 2bf38bb619b4c89f39356b5e1dac87ffd013e1aefb95617b3d015a5f74856757
  3. Neutrino EK Flash Exploit: fbf67ebbf326ec0b6379d5461b3893eb864fc6c346f71c93a467e90e8aea3354
  4. Neutrino EK Locky Payload: 542209ebd40928a0b4e016fcdd0813f3444dbf139ae3adfc194843abeacdf1fd

Visiting the compromised site and looking at the source code I found a script within the HTML tags pointing to the Afraidgate URL:

The GET request for the JavaScript at red.kamyuenenterprise.hk returned the following response from the server:

The response used gzip compression, however, pulling the file and opening it as a .txt document shows the response contains an iframe:

That iframe points to the Neutrino Exploit Kit landing page. Here is the GET request and response:

Again, the response is using gzip compression. Below is the HTML code found on the landing page:

Once the victim is redirected to the landing page their browser is directed, via the object tag in the HTML, to load the Flash Player and then play the SWF file found in the URL. If the user doesn’t have Flash Player the browser is given instructions to download it.

Here is the actual GET request for that Flash file found in the URL and the response from the server:

The Flash file usually contains multiple exploits typically affecting IE and Flash Player.

The Flash exploit is followed by an additional request for an empty .html file (malfored packet in Wireshark). I’m still not sure why this happens:

Lastly we see that the Locky payload is dropped:

After the payload we can see the typical post-infection callback traffic for Locky using direct IPs instead of domains:

Once the system has been compromised there are ransom notes dropped on the desktop and in the user’s directories. Filenames are obfuscated and appended with a .zepto.

Here is a common Neutrino EK framework:

SOURCE

Also something to note is that each directory that contains encrypted files has a .HTML ransom note with the following format: _[number]_HELP_instructions.

I took a screenshot of the ransom notes in case analyst want to see what they look like. I also added a screenshot of what the encrypted files look like:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: