pseudoDarkleech Leads to Neutrino EK at 137.74.223.56 and Drops CryptMIC Ransomware

IOCs:

184.106.55.75 – getfueled.com – Compromised Site
137.74.223.56 – baldonafunktionel.kayhaggard.com – Neutrino EK
46.165.246.9 – SSL/HTTPS callback traffic – Contains ransom notes

Hashes:
SHA256: 2b281628a86db99e4bc0ffb4365b1a2086b1241180553ba02b5f44c8d1fca558
File name: NeutrinoEK Landing Page at 137.74.223.56

SHA256: 6cbdf88c3e91bd421ba1eb44bc437fb703a3711def4d3a524626a01ca345403e
File name: NeutrinoEK SWF Exploit

SHA256: 7d5611e84193bdc10e1a0bf51431eaa76bcd15e51930bf01384c327f763d191d
File name: rad8B9FC.tmp.dll

The Infection Chain:
The infection chain starts off with the compromised website containing the simple pseudoDarkleech iframe tag:

The iframe redirects the host the Neutrino EK landing page which contains instructions for the Flash exploit:

Above in the landing page you can see the URI for the Flash exploit.

Below is the GET for that Flash exploit:

Following the Flash exploit is the usual Neutrino EK GET for an additional .html file:

Lastly we see the GET for the CryptMIC payload:

The payload and some other CryptMIC files are dropped in %TEMP%:

Ransom notes are dropped in numerous locations once the system has been compromised:

We can also see the post-infection traffic going over TCP port 443. However, the traffic isn’t being encrypted as the ransom notes are being sent in the clear:

I would recommend blocking both the EK IP and the callback IP at your perimeter firewall (see IOCs at the top).

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: