pseudoDarkleech Leads to Neutrino EK at Which Drops CryptMIC Ransomware

IOCs: – stjoeschool[.]org – Compromised Website – – Neutrino EK – CryptMIC post-infection traffic via TCP port 443

SHA256: f370ed0da244a4d8eeda498dd211fa224289398ffc6c068030327aec53952d0f
File name: Neutrino EK Landing Page.html

SHA256: 43db664f321a9ad0b4413f8bfff65e776fa052f278bb902156d6ccedf16d7bd4
File name: Neutrino EK SWF Exploit.swf

SHA256: 35f97fefe5a6f02b00ebf3b5ac41bd8d8bfdab38aef3b737063d9774db1fcfc6
File name: rad050CF.tmp.dll

So again we find that the pseudo-Darkleech campaign has been leading to a lot of Neutrino EK which in turn has been dropping CryptMIC ransomware.

Here is the pseudoDarkleech code injected into the compromised website:

The iframe points the host to the Neutrino EK landing page:

The Neutrino EK landing page (shown above) contains instructions for downloading the SWF exploit. Again, you can see the URI for the Flash file on the landing page.

Here is the GET for the SWF exploit and a empty HTML file:

The final GET request made by the host is for the CryptMIC payload:

Following the delivery of the payload we can see multiple files created in %APPDATA%:

As with my other samples from today the host makes some request via TCP port 443 to, however, the server doesn’t seem to be responding.

Looking at the infected host you can also see the ransom note being displayed on the Desktop as well as in numerous folders, including the Temp folder shown above.

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: