220.127.116.11 – eddieoneverything.com – Compromised Site
18.104.22.168 – null.delayofgame.com – Afraidgate JS
22.214.171.124 – aqxsgncqro.anyoneshall.top – Neutrino EK
File name: Afraidgate malicious JS.js
File name: Neutrino EK Landing Page.html
File name: Neutrino EK SWF Exploit.swf
File name: radE17A7.tmp.exe
This was another compromised site that I found leading to Neutrino EK at 126.96.36.199. Just like with my previous encounters with Afraidgate the EK delivered a Locky payload.
Below is the injected Afraidgate script and the response from the server:
The script returns a snippet of code containing the iframe that is responsible for redirecting the host to the Neutrino EK landing page.
Below is the Neutrino EK landing page as seen in traffic and the HTML file:
Again, it is the code on the landing page which is responsible for making the GET for the Flash exploit.
Next comes the GET for the HTML file 0 bytes in size and, when viewing the source code, containing a single “1”:
Last but certainly not least comes the Locky payload. There is a .DAT file dropped in the Temp folder, followed by the Locky .exe. Both files delete themselves once the system is infected.
The file description says “Harbor” and the company says “Liberated.” Not sure if that is random or if it’s meant to have some meaning.
For post-infection callback traffic please see the IOCs section at the very top. I would recommend blocking the Neutrino EK IP as well as the post-infection IPs and domains at your perimeter firewall(s).