220.127.116.11 – stjoeschool[.]org – Compromised Website
18.104.22.168 – besucador.me-audio.co.uk – Neutrino EK
22.214.171.124 – CryptMIC post-infection traffic via TCP port 443
File name: Neutrino EK Landing Page.html
File name: Neutrino EK SWF Exploit.swf
File name: rad050CF.tmp.dll
So again we find that the pseudo-Darkleech campaign has been leading to a lot of Neutrino EK which in turn has been dropping CryptMIC ransomware.
Here is the pseudoDarkleech code injected into the compromised website:
The iframe points the host to the Neutrino EK landing page:
The Neutrino EK landing page (shown above) contains instructions for downloading the SWF exploit. Again, you can see the URI for the Flash file on the landing page.
Here is the GET for the SWF exploit and a empty HTML file:
The final GET request made by the host is for the CryptMIC payload:
Following the delivery of the payload we can see multiple files created in %APPDATA%:
As with my other samples from today the host makes some request via TCP port 443 to 126.96.36.199, however, the server doesn’t seem to be responding.
Looking at the infected host you can also see the ransom note being displayed on the Desktop as well as in numerous folders, including the Temp folder shown above.