pseudoDarkleech Leads to Neutrino EK at 188.165.197.194 and Drops CryptMIC Ransomware

IOCs:

184.106.55.84 – busbycabinets.com – Compromised Site
188.165.197.194 – apulaisista.scrubs101webstore.com – Neutrino EK
46.165.246.9 – SSL/HTTPS callback traffic – Contains Ransom Note

Hashes:
SHA256: fec4923f156bf46563bc8b06e8c9dc4e2ae25799224c0893e01d3f069dd9c7c7
File name: Neutrino EK Landing Page.html

SHA256: 71db2bde4b377426657ab5a6554e274bb6fbdffd6b6ed3e7ef51ea48364cb17a
File name: Neutrino EK Flash Exploit.swf

SHA256: 7d5611e84193bdc10e1a0bf51431eaa76bcd15e51930bf01384c327f763d191d
File name: rad432F6.tmp.dll

Traffic:

The Infection Chain:
The infection chain starts off with the compromised website containing the simple pseudoDarkleech iframe tag:


The iframe redirects the host the Neutrino EK landing page which contains instructions for the Flash exploit:

Above in the landing page you can see the URI for the Flash exploit.

Below is the GET for that Flash exploit:

Following the Flash exploit is the usual Neutrino EK GET for an additional .html file:

Opening the .html file shows only a “1”.

Lastly we see the GET request for the CryptMIC payload:

The payload and some other CryptMIC files are dropped in %TEMP% folder:

Ransom notes are dropped in numerous locations once the system has been compromised:

 

Filenames aren’t encrypted or obfuscated and they aren’t appended with anything new. The easiest way to tell if a file is encrypted is to open it and look.

We can also see the post-infection traffic going over TCP port 443. However, the traffic isn’t being encrypted as the ransom notes are being sent in the clear.

I would recommend blocking both the EK IP and the callback IP at your perimeter firewall (see IOCs at the top).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: