18.104.22.168 – busbycabinets.com – Compromised Site
22.214.171.124 – apulaisista.scrubs101webstore.com – Neutrino EK
126.96.36.199 – SSL/HTTPS callback traffic – Contains Ransom Note
File name: Neutrino EK Landing Page.html
File name: Neutrino EK Flash Exploit.swf
File name: rad432F6.tmp.dll
The Infection Chain:
The infection chain starts off with the compromised website containing the simple pseudoDarkleech iframe tag:
Above in the landing page you can see the URI for the Flash exploit.
Below is the GET for that Flash exploit:
Following the Flash exploit is the usual Neutrino EK GET for an additional .html file:
Opening the .html file shows only a “1”.
Lastly we see the GET request for the CryptMIC payload:
The payload and some other CryptMIC files are dropped in %TEMP% folder:
Ransom notes are dropped in numerous locations once the system has been compromised:
Filenames aren’t encrypted or obfuscated and they aren’t appended with anything new. The easiest way to tell if a file is encrypted is to open it and look.
We can also see the post-infection traffic going over TCP port 443. However, the traffic isn’t being encrypted as the ransom notes are being sent in the clear.
I would recommend blocking both the EK IP and the callback IP at your perimeter firewall (see IOCs at the top).