pseudoDarkleech Leads to Neutrino EK at 74.208.192.13 Which Then Drops CryptMIC Ransomware

IOCs:

72.10.49.22 – ionedds.com – Compromised Site
74.208.192.13 – arkisempaa-mycobutin.smoothbadger.uk – Neutrino EK
85.14.243.9 – Post-infection CryptMIC callback traffic over TCP port 443

Hashes:
SHA256: c2e931c5b81ecc0cb617f7e9ebf20e7626f2dee496e6f0e1e65bc19eb42a365c
File name: Neutrino EK Landing Page

SHA256: 0a42e068479e729d295a0d5e9505d7e291c201d557e315f5327e009455ea81df
File name: Neutrino EK SWF Exploit

SHA256: ca7a59c4a6106e1f74f7519250c19e1bf48ea0aeed2cdf22b0a4715f0a858b81
File name: rad7318C.tmp.dll – Payload in %APPDATA%

The infection chain starts with a compromised site containing a pseudo-Darkleech script in an tag:

The iframe redirects the host to the Neutrino EK landing page:

The landing page contains the URI for the SWF exploit.

Below is the GET for SWF exploit:

Once the SWF exploit is dropped on the system we see a GET for an empty file followed by a GET for a CryptMIC payload:

After the payload is dropped and executed there is post-infection callback to an unresponsive server (no return traffic):

We can see the payload within the %APPDATA% directory along with some other CryptMIC files:

Here are some images of the different ransom notes being dropped on the Desktop as well as an image of what an encrypted file looks like:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: