pseudoDarkleech Leads to Neutrino EK at 74.208.161.160 Which Drops CryptMIC Ransomware

IOCs:

181.224.139.64 – stjoeschool[.]org – Compromised Website
74.208.161.160 – besucador.me-audio.co.uk – Neutrino EK
85.14.243.9 – CryptMIC post-infection traffic via TCP port 443

Hashes:
SHA256: f370ed0da244a4d8eeda498dd211fa224289398ffc6c068030327aec53952d0f
File name: Neutrino EK Landing Page.html

SHA256: 43db664f321a9ad0b4413f8bfff65e776fa052f278bb902156d6ccedf16d7bd4
File name: Neutrino EK SWF Exploit.swf

SHA256: 35f97fefe5a6f02b00ebf3b5ac41bd8d8bfdab38aef3b737063d9774db1fcfc6
File name: rad050CF.tmp.dll

So again we find that the pseudo-Darkleech campaign has been leading to a lot of Neutrino EK which in turn has been dropping CryptMIC ransomware.

Here is the pseudoDarkleech code injected into the compromised website:

The iframe points the host to the Neutrino EK landing page:

The Neutrino EK landing page (shown above) contains instructions for downloading the SWF exploit. Again, you can see the URI for the Flash file on the landing page.

Here is the GET for the SWF exploit and a empty HTML file:

The final GET request made by the host is for the CryptMIC payload:

Following the delivery of the payload we can see multiple files created in %APPDATA%:

As with my other samples from today the host makes some request via TCP port 443 to 85.14.243.9, however, the server doesn’t seem to be responding.

Looking at the infected host you can also see the ransom note being displayed on the Desktop as well as in numerous folders, including the Temp folder shown above.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: