pseudoDarkleech Leads to Neutrino EK at and Drops CryptMIC Ransomware

IOCs: – – Compromised Site – – Neutrino EK – SSL/HTTPS callback traffic – Contains Ransom Note

SHA256: fec4923f156bf46563bc8b06e8c9dc4e2ae25799224c0893e01d3f069dd9c7c7
File name: Neutrino EK Landing Page.html

SHA256: 71db2bde4b377426657ab5a6554e274bb6fbdffd6b6ed3e7ef51ea48364cb17a
File name: Neutrino EK Flash Exploit.swf

SHA256: 7d5611e84193bdc10e1a0bf51431eaa76bcd15e51930bf01384c327f763d191d
File name: rad432F6.tmp.dll


The Infection Chain:
The infection chain starts off with the compromised website containing the simple pseudoDarkleech iframe tag:

The iframe redirects the host the Neutrino EK landing page which contains instructions for the Flash exploit:

Above in the landing page you can see the URI for the Flash exploit.

Below is the GET for that Flash exploit:

Following the Flash exploit is the usual Neutrino EK GET for an additional .html file:

Opening the .html file shows only a “1”.

Lastly we see the GET request for the CryptMIC payload:

The payload and some other CryptMIC files are dropped in %TEMP% folder:

Ransom notes are dropped in numerous locations once the system has been compromised:


Filenames aren’t encrypted or obfuscated and they aren’t appended with anything new. The easiest way to tell if a file is encrypted is to open it and look.

We can also see the post-infection traffic going over TCP port 443. However, the traffic isn’t being encrypted as the ransom notes are being sent in the clear.

I would recommend blocking both the EK IP and the callback IP at your perimeter firewall (see IOCs at the top).

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: