Afraidgate Leads to Neutrino EK at 5.2.73.124 and Drops Locky Ransomware

IOCs:

195.58.170.31 – skopikundlohn[.]at – Compromised Site
138.68.18.73 – crew.nbbgradstudents.com – Afraidgate JS
5.2.73.124 – kqccnxro.thatset.top – Neutrino EK
188.127.249.32 – POST /data/info.php – callback traffic
95.85.19.195 – POST /data/info.php – callback traffic

Hashes:
SHA256: 2cf21f333d42cd888e7f6020163a7af668ebafbe705475163bced6a49f1a0550
File name: crew.nbbgradstudents.com.js

SHA256: 26feb600f68f086bad98105c114c6d8703a2feda1a58d8adb7cf21a4fd22c1b9
File name: Neutrino EK Landing Page.htm

SHA256: 2ed2853579cfaceb90d064de061aedfee2f958d4125724a86cf5707029d5332b
File name: Neutrino EK SWF Exploit.swf

SHA256: 409475789697476df4969df8fbaded0f3bf81d6310a109a2c6d97ae8862ee675
File name: rad71BA2.tmp.exe

The infection chain starts with the compromised site containing the Afraidgate script. It can be a little difficult to tell which script will return the iframe if you’re not use to looking at normal network traffic. Here is the Afraidgate script on the compromised site:

The response from the server contains compressed data so I extracted the file. Below is a picture of the response from the server and the file containing the malicious iframe:

The URL in the tags redirects the host to the Neutrino EK landing page. Again, the response from the server shows it’s being compressed but here is what the HTML looks like:

The landing page is where the host gets it’s next instructions, which is to download the SWF exploit:

Then, like always, there is a GET request for an HTML file 0 bytes in size. I’m still not sure why Neutrino EK uses this technique but I’m certain there is a purpose behind it:

Following that the host makes the GET for the Locky payload:

The payload is dropped into the Temp folder and deletes itself once the system has been infected. Here is the payload that was dropped on the system:

Once executed the file deletes itself and the ransom notes begin to popup on the Desktop and in numerous folders:

Checking for post-infection traffic I found the following POST requests:

188.127.249.32/data/info.php
95.85.19.195/data/info.php

I would recommended blocking the EK and callback IPs on your network perimeter firewall(s).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: