2016-08-16 - PSEUDO-DARKLEECH GOES FROM NEUTRINO EK TO RIG EK THEN BACK TO NEUTRINO

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2016-08-16-pseudoDarkleech-campaign-traffic.zip   951.9 kB (951,942 bytes)

• 2016-08-16-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-after-blenheim-lodge_com.pcap   (537,339 bytes)
• 2016-08-16-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-after-convoyproperty_com.pcap   (443,414 bytes)
• 2016-08-16-pseudoDarkleech-Rig-EK-after-blenheim-lodge_com.pcap   (730,082 bytes)

• 2016-08-16-pseudoDarkleech-campaign-malware-and-artifacts.zip   879.5 kB (879,483 bytes)

• 2016-08-16-page-from-blenheim-lodge_com-with-injected-script-pointing-to-Neutrino-EK.txt   (99,574 bytes)
• 2016-08-16-page-from-blenheim-lodge_com-with-injected-script-pointing-to-Rig-EK.txt   (99,712 bytes)
• 2016-08-16-page-from-convoyproperty_com-with-injected-script-pointing-to-Neutrino-EK.txt   (98,098 bytes)
• 2016-08-16-pseudoDarkleech-CrypMIC-decrypt-instructions.HTML   (238,182 bytes)
• 2016-08-16-pseudoDarkleech-CrypMIC-decrypt-instructions.JPG   (228,351 bytes)
• 2016-08-16-pseudoDarkleech-CrypMIC-decrypt-instructions.TXT   (1,654 bytes)
• 2016-08-16-pseudoDarkleech-Neutrino-EK-flash-exploit-after-blenheim-lodge_com.swf   (80,112 bytes)
• 2016-08-16-pseudoDarkleech-Neutrino-EK-landing-page-after-blenheim-lodge_com.txt   (2,354 bytes)
• 2016-08-16-pseudoDarkleech-Neutrino-EK-landing-page-after-convoyproperty_com.txt   (2,346 bytes)
• 2016-08-16-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-after-convoyproperty_com.dll   (69,632 bytes)
• 2016-08-16-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-after-lenheim-lodge_com.dll   (69,632 bytes)
• 2016-08-16-pseudoDarkleech-Rig-EK-flash-exploit-after-blenheim-lodge_com.swf   (45,960 bytes)
• 2016-08-16-pseudoDarkleech-Rig-EK-landing-page-after-blenheim-lodge_com.txt   (5,086 bytes)
• 2016-08-16-pseudoDarkleech-Rig-EK-payload-after-lenheim-lodge_com.exe   (505,344 bytes)

 

NOTES:

• On Monday 2016-08-15 (US eastern time zone) sites I saw compromised for the pseudoDarkleech campaign were pointing to Rig EK that delivered an .exe payload.
• By Tuesday morning 2016-08-16 (US eastern time zone), these same sites were pointing back to Neutrino EK delivering CrypMIC ransomware.
• I wonder what further changes we will see from the pseudoDarkleech campaign (if the switch to Rig EK will happen again or not).

 

Shown above:  Flowchart for recent pseudoDarkleech-based infection traffic I've seen.

 

TRAFFIC

Shown above:  Injected script from the pseudoDarkleech campaign in page from a compromised site pointed to Rig EK on 2016-08-15 at 21:25 EDT.

 

Shown above:  Injected script from the pseudoDarkleech campaign in the same compromised site pointed to Neutrino EK on 2016-08-16 at 10:28 EDT.

 

Shown above:  Traffic from the 2016-08-15 infection filtered in Wireshark.   Wireshark filter: http.request

 

Shown above:  Traffic from the 2016-08-16 infection filtered in Wireshark.   Wireshark filter: http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)

 

ASSOCIATED DOMAINS:

• www.blenheim-lodge[.]com - Compromised site viewed on 2016-08-15
• 185.158.152[.]195 port 80 - tre.inparq[.]com - Rig EK
• No post-infection traffic noted from the payload

• www.blenheim-lodge[.]com - Same compromised site viewed on 2016-08-16
• www.convoyproperty[.]com - Another compromised site viewed on 2016-08-16
• 108.175.12[.]103 port 80 - threeribbedcharcutiere.recipmedia[.]uk - Neutrino EK
• 85.14.243[.]9 port 443 - CrypMIC post-infection traffic (custom encoded and clear text, not HTTPS/SSL)

DOMAINS FROM THE CRYPMIC DECRYPT INSTRUCTIONS:

• ccjlwb22w6c22p2k.onion[.]to
• ccjlwb22w6c22p2k.onion[.]city

NOTE: The above 2 domains from the decrypt instructions are the same ones I've seen from CrypMIC since 2016-07-26.

 

FILE HASHES

FLASH EXPLOITS:

• SHA256 hash:  32ee6bba01eb6d609b429115d5a1d21b33a60c2efac8d61bf3154daee8885345
  File name:  2016-08-16-pseudoDarkleech-Rig-EK-flash-exploit-after-blenheim-lodge_com.swf

• SHA256 hash:  69f6eddbfe75c63ee6e2850d819838f920772428756c1c00fe5be586ef84fee1
  File name:  2016-08-16-pseudoDarkleech-Neutrino-EK-flash-exploit-after-blenheim-lodge_com.swf

 

PAYLOADs:

• SHA256 hash:  c4daadcbb525b96644f672025f3a4f3261a40a7b6250f3c726de3f4566cb6cf3
  File name:  2016-08-16-pseudoDarkleech-Rig-EK-payload-after-lenheim-lodge_com.exe

• SHA256 hash:  646120107374aa4505042a6e3f4e63ee3f12d06282d0b79894736c96e6e50348
  File name:  2016-08-16-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-after-lenheim-lodge_com.dll
File name:  2016-08-16-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-after-convoyproperty_com.dll

 

IMAGES

Shown above:  Injected script from the pseudoDarkleech campaign in page from another compromised site on 2016-08-16 pointing to Neutrino EK.

 

Shown above:  Traffic from the other 2016-08-16 pseudoDarkleech Neutrino EK pcap filtered in Wireshark.

 

Shown above:  Desktop of an infected Windows host on 2016-08-16 after rebooting.

 

Click here to return to the main page.