CRYPTXXX campaigns, threat actors switch to Neutrino EK

Security experts from the SANS observed that new CryptXXX ransomware campaigns are leveraging on the Neutrino Exploit Kit instead the Angler Exploit Kit.

Crooks behind the CryptXXX ransomware have launched a new campaign leveraging on the Neutrino Exploit Kit instead the Angler Exploit Kit. It was a significant change in the attack chain that was discovered by the experts from the SANS Internet Storm Center.

The experts identified the ransomware-based attacks as the pseudo-Darkleech campaign.

“By Monday 2016-06-06, the pseudo-Darkleech campaign began using Neutrino exploit kit (EK) to send CryptXXX ransomware.  Until then, I’d only seen Angler EK distribute CryptXXX.  However, this is not the first time we’ve seen campaigns associated with ransomware switch between Angler EK and Neutrino EK.” wrote Brad Duncan. “It was documented as early as August 2015.  This can be confusing, especially if you’re expecting Angler EK.  Campaigns can (and occasionally do) switch EKs.”

The changes in the attack method were observed concurrently to a resurgence of the CryptXXX ransomware that observed in the wild with improved features, including a new encryption algorithm and a new StillerX credential-stealing module.

The attacks leveraging the Neutrino EK observed by the experts target the Java runtime environment, recently the exploit kit was integrated with the code for the exploitation of the CVE-2016-4117 vulnerability in the Adobe Flash software.

“Last month, Neutrino EK was documented using Flash exploits based on CVE-2016-4117 effective against Adobe Flash Player up to version,” said Duncan.

The recent campaign spotted by the SANS Internet Storm Center related the pseudo-Darkleech campaign were using the Neutrino EK to spread the CryptXXX ransomware.

In the same period, the researcher discovered a website compromised through injected script also for another ransomware campaign dubbed EITest campaign.

“On Tuesday 2016-06-07, I found a website with injected script for both the pseudo-Darkleech campaign and the EITest campaign.” wrote Duncan.

The experts observed an increase in the virulence of the attacks, in some cases websites compromised were hosting servers for both the pseudo-Darkleech campaign and the EITest campaign operated to serve the CryptXXX ransomware.

“In both cases, Neutrino EK delivered CryptXXX ransomware as a DLL file.  As usual with CryptXXX infections, we sawC:\Windows\System32\rundll32.exe copied to the same folder as the CryptXXX DLL file.  In this case, it was re-namedexplorer.exe.” reported the analysis published by the SANS Center.

The two CryptXXX DLL files from these infections are:

  • 2016-06-07-EITest-Neutrino-EK-payload-CryptXXX.dll (419 kB) – VirusTotal link
    SHA256: d322e664f5c95afbbc1bff3f879228b40b8edd8e908b95a49f2eb87b9038c70b
  • 2016-06-07-pseudoDarkleech-Neutrino-EK-payload-CryptXXX.dll (440 kB) – VirusTotal link
    SHA256: 75a927e636c788b7e54893161a643c258fecbbf47d6e7308d3439091aa3ce534

“I was able to generate traffic for each campaign, but I had to use two separate visits, because the pseudo-Darkleech script prevented the EITest script from generating any EK traffic,” Duncan added.

Give a look to the detailed analysis published SANS for further information on the attacks.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2021

We are in our 9th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.