pseudoDarkleech Leads to Neutrino EK at and Drops CryptMIC Ransomware

IOCs: – – Compromised Site – – Neutrino EK – SSL/HTTPS callback traffic – Contains ransom notes

SHA256: 2b281628a86db99e4bc0ffb4365b1a2086b1241180553ba02b5f44c8d1fca558
File name: NeutrinoEK Landing Page at

SHA256: 6cbdf88c3e91bd421ba1eb44bc437fb703a3711def4d3a524626a01ca345403e
File name: NeutrinoEK SWF Exploit

SHA256: 7d5611e84193bdc10e1a0bf51431eaa76bcd15e51930bf01384c327f763d191d
File name: rad8B9FC.tmp.dll

The Infection Chain:
The infection chain starts off with the compromised website containing the simple pseudoDarkleech iframe tag:

The iframe redirects the host the Neutrino EK landing page which contains instructions for the Flash exploit:

Above in the landing page you can see the URI for the Flash exploit.

Below is the GET for that Flash exploit:

Following the Flash exploit is the usual Neutrino EK GET for an additional .html file:

Lastly we see the GET for the CryptMIC payload:

The payload and some other CryptMIC files are dropped in %TEMP%:

Ransom notes are dropped in numerous locations once the system has been compromised:

We can also see the post-infection traffic going over TCP port 443. However, the traffic isn’t being encrypted as the ransom notes are being sent in the clear:

I would recommend blocking both the EK IP and the callback IP at your perimeter firewall (see IOCs at the top).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: