pseudoDarkleech Leads to Neutrino EK at 74.208.161.160 Which Drops CryptMIC Ransomware

IOCs:

181.224.138.165 – etratech[.]com – Compromised Website
74.208.161.160 – spuitvissen.mycasemanager.co.uk – Neutrino EK
85.14.243.9 – CryptMIC post-infection traffic over TPC port 443

Hashes:
SHA256: 3f8bedcc1f738469b7fae7446387aeeb5b4e1b8f1b5bb810a155be25fb148410
File name: Neutrino EK Landing Page.html

SHA256: bc2f96dbdca32491b5966fcf4ee22bda4ad25c5abcb660780ce7baddc2e00d2c
File name: Neutrino EK SWF Exploit.swf

SHA256: dc5a6e8098e30ee0d2fad66dd038ca76801e70d82db36903db7040b9c2cb3f05
File name: rad63FC3.tmp.dll

Infection chain is pseudoDarkleech campaign to Neutrino EK to CryptMIC ransomware. Needless to say I’ve been seeing a lot of Neutrino EK leading to CryptMIC recently.

Here is the injected script found on the compromised website:

The iframe redirects the host to the Neutrino EK landing page shown below:

The URI for the SWF file can be seen on the EK landing page. Here is the GET for the Flash exploit and the usual GET for an empty HTML file:

The last GET from the host to the server is for the final payload:

Here is the .dll dropped in the %APPDATA% folder:

As with my other samples from today the host makes some request via TCP port 443 to 85.14.243.9, however, the server doesn’t seem to be responding.

Looking at the infected host you can also see the ransom note being displayed on the Desktop and in numerous folders, including the Temp folder shown above.

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: