Last Updated: 2016-08-18 03:41:46 UTC
by Brad Duncan (Version: 1)
Earlier today, I ran across a compromised website with injected script from both the pseudo-Darkleech campaign and the EITest campaign. This is similar to another compromised site I reported back in June 2016, shortly after Angler exploit kit (EK) disappeared from the EK scene . At that time, the pseudo-Darkleech and EITest campaigns had switched to Neutrino EK.
Earlier week, we saw reports on pseudo-Darkleech and EITest switching between Neutrino EK and Rig EK [2, 3]. These two campaigns have a history of switching EKs [4, 5, 6, 7]. Because of that, I generated infection traffic from both campaigns campaigns using the same compromised site. This diary examines infection from both campaigns.
For the relationship between campaigns and EKs, see this blog post.
In the images below, you'll find injected script from both campaigns in the same web page.
As previously noted, I've never seen both infections at the same time. I've only generated EK traffic from one campaign or the other. Injected script from the pseudo-Darkleech campaign tends to prevent injected script by other campaigns from running.
Pseudo-Darkleech Neutrino EK infection
By July 2016, injected script from the pseudo-Darkleech campaign had changed patterns, and that pattern of injected script remains in use as of mid-August 2016. In today's infection traffic from the pseudo-Darkleech campaign, we saw Neutrino EK send CrypMIC ransomware.
For those unfamiliar with CrypMIC ransomware, it's a new branch of the CryptXXX family first reported on 2016-07-06 . At first, I continued calling it CryptXXX, despite some noticeable differences in post-infection activity. Others soon noticed this new branch was using a different versioning format than the original branch of CryptXXX . By 2016-07-20, TrendLabs analyzed the new branch, dubbing it "CrypMIC" , and I've been calling it CrypMIC ever since.
Using the ET Pro rulset, I also saw alerts for the post-infection traffic from CrypMIC (the new branch of CryptXXX).
Below are images from the traffic showing Neutrino EK and the post-infection activity.
The infected host looks like we've seen in recent CrypMIC infections. Of note, I haven't seen any infections using the previous branch of CryptXXX since 2016-07-25 .
EITest Rig EK infection
Injected script and traffic patterns from the EITest campaign have remained relatively consistent since Malwarebytes first identified this campaign in 2014 . Back then the EITest campaign usually led to Angler EK. We've seen it switch back and forth between Angler EK and Neutrino EK in 2015 and 2016. After Angler EK disappeared, the EITest campaign appears to have stuck with Neutrino EK until recently. Earlier this week, the EITest campaign led to Rig EK . Today's EITest infection chain also led to Rig EK, and it delivered a possible Vawtrak variant.
Using the ET Pro rulset, I saw alerts for Rig EK. Of note, Sundown EK has traffic patterns similar to Rig EK, so we see alerts for Sundown EK also in the list. But Sundown EK delivers its payload using different URL patterns than Rig EK, and the overall traffic is a solid fit for Rig EK.
We also see alerts for a possible Vawtrak variant that fit recent updates Vawtrak has reportedly made over the last few weeks .
Below are images from the traffic showing Rig EK and the post-infection traffic.
The malware is fairly basic in setting itself up for persistence. Shown below is the updated Windows registry key and location of the malware on an infected host.
Indicators of compromise (IOCs)
Pseudo-Darkleech Neutrino EK indicators:
- 220.127.116.11 port 80 - fussabtr.gymeme.co.uk - Neutrino EK
- 18.104.22.168 port 443 - CrypMIC post-infection traffic (custom encoded & clear text)
SHA256 hash of CrypMIC payload (.dll file):
EITest Rig EK indicators:
- 22.214.171.124 port 80 - kydiris.xyz - EITest gate
- 126.96.36.199 port 80 - i45h5.kinfacitontjo.top - Rig EK
- 188.8.131.52 port 443 - ubmfotihexo.ru - post-infection HTTPS/TLS traffic
- 184.108.40.206 port 443 - sgtxgkbi.ru - post-infection HTTPS/TLS traffic
- 220.127.116.11 port 80 - attempted TCP connection, no response
- 18.104.22.168 port 80 - attempted TCP connection, no response
SHA256 hash of possible Vawtrak variant payload (.exe file):
NOTE: Keep in mind that IP addresses and domains for both Neutrino and Rig EKs are constantly changing. The IOCs will probably have changed by the time you read this.
As always, properly administered Windows hosts following best security practices (up-to-date applications, latest operating system patches, software restriction policies, etc) should not be infected when running across these campaigns.
Unfortunately, a large percentage of people don't follow best practices, and their computers remain at risk. Until this situation changes, actors distributing malware through EK-based campaigns remain a significant threat.
Pcap and malware for this diary are located here.
brad [at] malware-traffic-analysis.net