Afraidgate campaign switches from CryptXXX to Locky Ransomware

Pierluigi Paganini August 02, 2016

Operators behind the Afraidgate campaign continue to leverage on Neutrino EK, but switches from CryptXXX to Locky Ransomware.

According to the experts from Palo Alto Networks, one of the most long-lived hacking campaigns leveraging on the Neutrino EK switches from CryptXXX to the Locky Ransomware.

The campaign dubbed Afraidgate due to the name of the gate domains (using name servers from afraid[.]org) used by its operators, has been running for several months by crooks that were distributing the Locky threat via Neutrino EK.

“By mid-July 2016, the Afraidgate campaign stopped distributing CryptXXX ransomware. It is now distributing the “.zepto” variant of Locky. Afraidgate has been using Neutrino exploit kit (EK) to distribute malware after Angler EK disappeared in early June 2016. As we previously reported, this campaign continues to utilize gate domains using name servers from” states the analysis published by PaloAlto Networks.

The hackers compromise legitimate websites and inject the redirection code to lead visitors to a redirection gate. Then the victim is redirected to a landing page containing the exploit code.

“After the victim’s computer connects to the URL on an Afraidgate domain, the server returns more Javascript with an iframe leading to a Neutrino EK landing page.”


Afraidgate campaign

“Neutrino EK domains for this campaign tend to use .top as the top level domain (TLD). Otherwise, we see no surprises. Neutrino is a well-known EK that has been documented by others.” states Brad Duncan from PaloAlto Networks

If the visitor’s machine uses a vulnerable software, the exploit code is executed to deliver and install the ransomware.

The Afraidgate campaign was spreading Locky in March via the infamous Nuclear EK, but its operators switched to the Angler EK to deliver the CryptXXX in April. After the disappearance of the Angler EK from June, the campaign switched to Neutrino EK to serve CryptXXX.

Since the July 11, 2016, the Afraidgate campaign has been serving the Zepto variant of Locky leveraging always on the same exploit kit.

Month Exploit Kit Malware
March 2016 Nuclear EK Locky
April 2016 Angler EK CryptXXX
June 2016 Neutrino EK CryptXXX
July 11, 2016 Neutrino EK Zepto (Locky Variant)

“As early as June 29, 2016, we saw the Afraidgate campaign deliver Locky ransomware. This campaign switched between delivering CryptXXX and Locky ransomware during the next two weeks. July 11, 2016, was the last time we saw Afraidgate deliver CryptXXX. Since then, this campaign has been consistently delivering Locky.” continues the analysis.

Other large-scale campaigns switched to Neutrino after Angler EK disappeared from the threat landscape, including the EITest and pseudo-Darkleech campaigns.

Security experts who analyzed the Afraidgate campaign have confirmed that Neutrino is responsible for the largest EK traffic at the moment, crooks leveraged on it to spread the ransomware.

The PaloAlto Network analysis confirms that operators behind large campaigns like Afraidgate constantly change tactics.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Afraidgate campaign, Neutrino EK)

you might also like

leave a comment