- red.kamyuenenterprise.hk – JS Redirect – 220.127.116.11
- vsjgvbaz.anythingwork.top – Neutrino EK – 18.104.22.168
- 22.214.171.124 POST /php/upload.php – Locky post-infection callback traffic
- JS file: 049add46d0a527b50a605573c98330ceabaf533559f06e6fc4795cf6ca326bc1
- Neutrino EK landing Page: 2bf38bb619b4c89f39356b5e1dac87ffd013e1aefb95617b3d015a5f74856757
- Neutrino EK Flash Exploit: fbf67ebbf326ec0b6379d5461b3893eb864fc6c346f71c93a467e90e8aea3354
- Neutrino EK Locky Payload: 542209ebd40928a0b4e016fcdd0813f3444dbf139ae3adfc194843abeacdf1fd
Visiting the compromised site and looking at the source code I found a script within the HTML tags pointing to the Afraidgate URL:
The response used gzip compression, however, pulling the file and opening it as a .txt document shows the response contains an iframe:
That iframe points to the Neutrino Exploit Kit landing page. Here is the GET request and response:
Again, the response is using gzip compression. Below is the HTML code found on the landing page:
Once the victim is redirected to the landing page their browser is directed, via the object tag in the HTML, to load the Flash Player and then play the SWF file found in the URL. If the user doesn’t have Flash Player the browser is given instructions to download it.
Here is the actual GET request for that Flash file found in the URL and the response from the server:
The Flash file usually contains multiple exploits typically affecting IE and Flash Player.
The Flash exploit is followed by an additional request for an empty .html file (malfored packet in Wireshark). I’m still not sure why this happens:
Lastly we see that the Locky payload is dropped:
After the payload we can see the typical post-infection callback traffic for Locky using direct IPs instead of domains:
Once the system has been compromised there are ransom notes dropped on the desktop and in the user’s directories. Filenames are obfuscated and appended with a .zepto.
Here is a common Neutrino EK framework:
Also something to note is that each directory that contains encrypted files has a .HTML ransom note with the following format: _[number]_HELP_instructions.
I took a screenshot of the ransom notes in case analyst want to see what they look like. I also added a screenshot of what the encrypted files look like: