18.104.22.168 – etratech[.]com – Compromised Website
22.214.171.124 – spuitvissen.mycasemanager.co.uk – Neutrino EK
126.96.36.199 – CryptMIC post-infection traffic over TPC port 443
File name: Neutrino EK Landing Page.html
File name: Neutrino EK SWF Exploit.swf
File name: rad63FC3.tmp.dll
Infection chain is pseudoDarkleech campaign to Neutrino EK to CryptMIC ransomware. Needless to say I’ve been seeing a lot of Neutrino EK leading to CryptMIC recently.
Here is the injected script found on the compromised website:
The iframe redirects the host to the Neutrino EK landing page shown below:
The URI for the SWF file can be seen on the EK landing page. Here is the GET for the Flash exploit and the usual GET for an empty HTML file:
The last GET from the host to the server is for the final payload:
Here is the .dll dropped in the %APPDATA% folder:
As with my other samples from today the host makes some request via TCP port 443 to 188.8.131.52, however, the server doesn’t seem to be responding.
Looking at the infected host you can also see the ransom note being displayed on the Desktop and in numerous folders, including the Temp folder shown above.