pseudoDarkleech Leads to Neutrino EK at Which Drops CryptMIC Ransomware

IOCs: – etratech[.]com – Compromised Website – – Neutrino EK – CryptMIC post-infection traffic over TPC port 443

SHA256: 3f8bedcc1f738469b7fae7446387aeeb5b4e1b8f1b5bb810a155be25fb148410
File name: Neutrino EK Landing Page.html

SHA256: bc2f96dbdca32491b5966fcf4ee22bda4ad25c5abcb660780ce7baddc2e00d2c
File name: Neutrino EK SWF Exploit.swf

SHA256: dc5a6e8098e30ee0d2fad66dd038ca76801e70d82db36903db7040b9c2cb3f05
File name: rad63FC3.tmp.dll

Infection chain is pseudoDarkleech campaign to Neutrino EK to CryptMIC ransomware. Needless to say I’ve been seeing a lot of Neutrino EK leading to CryptMIC recently.

Here is the injected script found on the compromised website:

The iframe redirects the host to the Neutrino EK landing page shown below:

The URI for the SWF file can be seen on the EK landing page. Here is the GET for the Flash exploit and the usual GET for an empty HTML file:

The last GET from the host to the server is for the final payload:

Here is the .dll dropped in the %APPDATA% folder:

As with my other samples from today the host makes some request via TCP port 443 to, however, the server doesn’t seem to be responding.

Looking at the infected host you can also see the ransom note being displayed on the Desktop and in numerous folders, including the Temp folder shown above.

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: