Afraidgate Leads to Neutrino EK at 5.2.73.124 and Drops Locky Ransomware

IOCs:

50.97.68.34 – eddieoneverything.com – Compromised Site
138.68.18.73 – null.delayofgame.com – Afraidgate JS
5.2.73.124 – aqxsgncqro.anyoneshall.top – Neutrino EK

HTTP requests
URL: hxxp://95.85.19.195/data/info.php
TYPE: POST

URL: hxxp://188.127.249.32/data/info.php
TYPE: POST

URL: hxxp://dutluhnnx.info/data/info.php
TYPE: POST

URL: hxxp://kqudpyjbcd.biz/data/info.php
TYPE: POST

DNS requests
dutluhnnx.info (69.195.129.70)
afgmbssj.org
vlrdkvkt.pw
jybqbxjcwowph.xyz
ggfwsvmnsunvb.work
kqudpyjbcd.biz (58.158.177.102)

TCP connections
95.85.19.195:80
188.127.249.32:80
69.195.129.70:80
58.158.177.102:80

Hashes:
SHA256: 2bc68530c59c8151fd0e8dece8ac28a8e1a58ac9c4e4ba03b6ebdbc43953641f
File name: Afraidgate malicious JS.js

SHA256: 7b3461cd882c0d487906c68bb7dbef09f4fced867e94584d1d0eae2ee86d28c3
File name: Neutrino EK Landing Page.html

SHA256: 181e6f0e048dad4e7597c10021a74d63b15e28c5e871226c9858a31b51ebf708
File name: Neutrino EK SWF Exploit.swf

SHA256: 409475789697476df4969df8fbaded0f3bf81d6310a109a2c6d97ae8862ee675
File name: radE17A7.tmp.exe

This was another compromised site that I found leading to Neutrino EK at 5.2.73.124. Just like with my previous encounters with Afraidgate the EK delivered a Locky payload.

Below is the injected Afraidgate script and the response from the server:

The script returns a snippet of code containing the iframe that is responsible for redirecting the host to the Neutrino EK landing page.

Below is the Neutrino EK landing page as seen in traffic and the HTML file:

Again, it is the code on the landing page which is responsible for making the GET for the Flash exploit.

Next comes the GET for the HTML file 0 bytes in size and, when viewing the source code, containing a single “1”:

Last but certainly not least comes the Locky payload. There is a .DAT file dropped in the Temp folder, followed by the Locky .exe. Both files delete themselves once the system is infected.

The file description says “Harbor” and the company says “Liberated.” Not sure if that is random or if it’s meant to have some meaning.

For post-infection callback traffic please see the IOCs section at the very top. I would recommend blocking the Neutrino EK IP as well as the post-infection IPs and domains at your perimeter firewall(s).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: