Tag: Neutrino Exploit Kit

N

Neutrino EK Stops Advertisements While Rig EK Activity Increases

I personally haven’t documented a Neutrino EK compromise since September 11, 2016. Before that point Neutrino EK was very active in the EK scene as it took the top spot from Angler following the arrest of the Lurk gang. The question is why has there been such a noticeable drop off in Neutrino activity? Malware ...

p

pseudoDarkleech Leads to Neutrino EK at 188.165.197.194 and Drops CryptMIC Ransomware

IOCs: 184.106.55.84 – busbycabinets.com – Compromised Site 188.165.197.194 – apulaisista.scrubs101webstore.com – Neutrino EK 46.165.246.9 – SSL/HTTPS callback traffic – Contains Ransom Note Hashes: SHA256: fec4923f156bf46563bc8b06e8c9dc4e2ae25799224c0893e01d3f069dd9c7c7 File name: Neutrino EK Landing Page.html SHA256: 71db2bde4b377426657ab5a6554e274bb6fbdffd6b6ed3e7ef51ea48364cb17a File name: Neutrino EK Flash Exploit.swf SHA256: 7d5611e84193bdc10e1a0bf51431eaa76bcd15e51930bf01384c327f763d191d File name: rad432F6.tmp.dll Traffic: The Infection Chain: The infection chain starts off with the ...

p

pseudoDarkleech Leads to Neutrino EK at 137.74.223.56 and Drops CryptMIC Ransomware

IOCs: 184.106.55.75 – getfueled.com – Compromised Site 137.74.223.56 – baldonafunktionel.kayhaggard.com – Neutrino EK 46.165.246.9 – SSL/HTTPS callback traffic – Contains ransom notes Hashes: SHA256: 2b281628a86db99e4bc0ffb4365b1a2086b1241180553ba02b5f44c8d1fca558 File name: NeutrinoEK Landing Page at 137.74.223.56 SHA256: 6cbdf88c3e91bd421ba1eb44bc437fb703a3711def4d3a524626a01ca345403e File name: NeutrinoEK SWF Exploit SHA256: 7d5611e84193bdc10e1a0bf51431eaa76bcd15e51930bf01384c327f763d191d File name: rad8B9FC.tmp.dll The Infection Chain: The infection chain starts off with the compromised ...

A

Afraidgate Leads to Neutrino EK at 5.2.73.124 and Drops Locky Ransomware

IOCs: 50.97.68.34 – eddieoneverything.com – Compromised Site 138.68.18.73 – null.delayofgame.com – Afraidgate JS 5.2.73.124 – aqxsgncqro.anyoneshall.top – Neutrino EK HTTP requests URL: hxxp://95.85.19.195/data/info.php TYPE: POST URL: hxxp://188.127.249.32/data/info.php TYPE: POST URL: hxxp://dutluhnnx.info/data/info.php TYPE: POST URL: hxxp://kqudpyjbcd.biz/data/info.php TYPE: POST DNS requests dutluhnnx.info (69.195.129.70) afgmbssj.org vlrdkvkt.pw jybqbxjcwowph.xyz ggfwsvmnsunvb.work kqudpyjbcd.biz (58.158.177.102) TCP connections 95.85.19.195:80 188.127.249.32:80 69.195.129.70:80 58.158.177.102:80 Hashes: SHA256: ...

A

Afraidgate Leads to Neutrino EK at 5.2.73.124 and Drops Locky Ransomware

IOCs: 195.58.170.31 – skopikundlohn[.]at – Compromised Site 138.68.18.73 – crew.nbbgradstudents.com – Afraidgate JS 5.2.73.124 – kqccnxro.thatset.top – Neutrino EK 188.127.249.32 – POST /data/info.php – callback traffic 95.85.19.195 – POST /data/info.php – callback traffic Hashes: SHA256: 2cf21f333d42cd888e7f6020163a7af668ebafbe705475163bced6a49f1a0550 File name: crew.nbbgradstudents.com.js SHA256: 26feb600f68f086bad98105c114c6d8703a2feda1a58d8adb7cf21a4fd22c1b9 File name: Neutrino EK Landing Page.htm SHA256: 2ed2853579cfaceb90d064de061aedfee2f958d4125724a86cf5707029d5332b File name: Neutrino EK SWF Exploit.swf ...

p

pseudoDarkleech Leads to Neutrino EK at 74.208.161.160 Which Drops CryptMIC Ransomware

IOCs: 181.224.139.64 – stjoeschool[.]org – Compromised Website 74.208.161.160 – besucador.me-audio.co.uk – Neutrino EK 85.14.243.9 – CryptMIC post-infection traffic via TCP port 443 Hashes: SHA256: f370ed0da244a4d8eeda498dd211fa224289398ffc6c068030327aec53952d0f File name: Neutrino EK Landing Page.html SHA256: 43db664f321a9ad0b4413f8bfff65e776fa052f278bb902156d6ccedf16d7bd4 File name: Neutrino EK SWF Exploit.swf SHA256: 35f97fefe5a6f02b00ebf3b5ac41bd8d8bfdab38aef3b737063d9774db1fcfc6 File name: rad050CF.tmp.dll So again we find that the pseudo-Darkleech campaign has been leading ...

p

pseudoDarkleech Leads to Neutrino EK at 74.208.161.160 Which Drops CryptMIC Ransomware

IOCs: 181.224.138.165 – etratech[.]com – Compromised Website 74.208.161.160 – spuitvissen.mycasemanager.co.uk – Neutrino EK 85.14.243.9 – CryptMIC post-infection traffic over TPC port 443 Hashes: SHA256: 3f8bedcc1f738469b7fae7446387aeeb5b4e1b8f1b5bb810a155be25fb148410 File name: Neutrino EK Landing Page.html SHA256: bc2f96dbdca32491b5966fcf4ee22bda4ad25c5abcb660780ce7baddc2e00d2c File name: Neutrino EK SWF Exploit.swf SHA256: dc5a6e8098e30ee0d2fad66dd038ca76801e70d82db36903db7040b9c2cb3f05 File name: rad63FC3.tmp.dll Infection chain is pseudoDarkleech campaign to Neutrino EK to CryptMIC ransomware. ...