CRYPTXXX campaigns, threat actors switch to Neutrino EK

Security experts from the SANS observed that new CryptXXX ransomware campaigns are leveraging on the Neutrino Exploit Kit instead the Angler Exploit Kit.

Crooks behind the CryptXXX ransomware have launched a new campaign leveraging on the Neutrino Exploit Kit instead the Angler Exploit Kit. It was a significant change in the attack chain that was discovered by the experts from the SANS Internet Storm Center.

The experts identified the ransomware-based attacks as the pseudo-Darkleech campaign.

“By Monday 2016-06-06, the pseudo-Darkleech campaign began using Neutrino exploit kit (EK) to send CryptXXX ransomware.  Until then, I’d only seen Angler EK distribute CryptXXX.  However, this is not the first time we’ve seen campaigns associated with ransomware switch between Angler EK and Neutrino EK.” wrote Brad Duncan. “It was documented as early as August 2015.  This can be confusing, especially if you’re expecting Angler EK.  Campaigns can (and occasionally do) switch EKs.”

The changes in the attack method were observed concurrently to a resurgence of the CryptXXX ransomware that observed in the wild with improved features, including a new encryption algorithm and a new StillerX credential-stealing module.

The attacks leveraging the Neutrino EK observed by the experts target the Java runtime environment, recently the exploit kit was integrated with the code for the exploitation of the CVE-2016-4117 vulnerability in the Adobe Flash software.

“Last month, Neutrino EK was documented using Flash exploits based on CVE-2016-4117 effective against Adobe Flash Player up to version 21.0.0.213,” said Duncan.

The recent campaign spotted by the SANS Internet Storm Center related the pseudo-Darkleech campaign were using the Neutrino EK to spread the CryptXXX ransomware.

In the same period, the researcher discovered a website compromised through injected script also for another ransomware campaign dubbed EITest campaign.

“On Tuesday 2016-06-07, I found a website with injected script for both the pseudo-Darkleech campaign and the EITest campaign.” wrote Duncan.

The experts observed an increase in the virulence of the attacks, in some cases websites compromised were hosting servers for both the pseudo-Darkleech campaign and the EITest campaign operated to serve the CryptXXX ransomware.

“In both cases, Neutrino EK delivered CryptXXX ransomware as a DLL file.  As usual with CryptXXX infections, we sawC:\Windows\System32\rundll32.exe copied to the same folder as the CryptXXX DLL file.  In this case, it was re-namedexplorer.exe.” reported the analysis published by the SANS Center.

The two CryptXXX DLL files from these infections are:

• 2016-06-07-EITest-Neutrino-EK-payload-CryptXXX.dll (419 kB) – VirusTotal link
  SHA256: d322e664f5c95afbbc1bff3f879228b40b8edd8e908b95a49f2eb87b9038c70b

• 2016-06-07-pseudoDarkleech-Neutrino-EK-payload-CryptXXX.dll (440 kB) – VirusTotal link
  SHA256: 75a927e636c788b7e54893161a643c258fecbbf47d6e7308d3439091aa3ce534

“I was able to generate traffic for each campaign, but I had to use two separate visits, because the pseudo-Darkleech script prevented the EITest script from generating any EK traffic,” Duncan added.

Give a look to the detailed analysis published SANS for further information on the attacks.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CryptXXX, ransomware)