pseudoDarkleech Script Leads to Neutrino EK at Which Drops CryptMIC Ransomware

IOCs: – – Neutrino Exploit Kit – CryptMIC Ransomware C2 via TCP port 443 (clear text)

Payment Sites:

Ransom notes:

As Brad Duncan from points out there has been a recent change in patterns for the pseudoDarkleech campaign. It has shifted from large blocks of obfuscated code on the compromised sites to the use of injected iframes as the initial redirection mechanism:

Return HTTP traffic from the compromised site did trigger an ET alert in Squil for an unknown redirector leading to an EK, however, there weren’t any alerts for the EK landing page or the post-infection callback traffic:

Iframe (shown above) causes the initial redirection to the Neutrino EK landing page:

Below we see the GET request for Neutrino EK SWF exploit (VirusTotal Report):

The Flash file also appears to contain code designed to fingerprint the system as well as the actual exploit.

Again, near the end of infection chain, right before the final payload, we see a request for an HTML file and a response containing a malformed packet:

This was followed by a GET request for an encrypted or obfuscated payload:

Below are the HTTP objects pulled from the PCAP:

Initial three-way handshake with the C2 followed by the ransom note being sent in the clear over TCP port 443:

Here is a better look at the request and response:


Screenshots of the CryptMIC ransom notes and desktop:



Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: