2016-07-19 - THOMAS HEGEL - NEUTRINO EK - EITEST CAMPAIGN
- This blog post was submitted by Thomas Hegel, a threat researcher in Colorado.
- Click on any of the images below for a full-size view.
I've been tracking multiple Neutrino exploit kit (EK) infections recently which have matched the below patterns, leading victims to an infection. This particular infection occurred on July 14th, 2016. It is a part of the EITest campaign, utilizing the ID "ranxep." Here is a quick post on my findings.
- Compromised domain with injected script: b-r-u-n-o.it
- EITest gate: nyujuhu.ml
- Neutrino EK: uetql.gv198n.top
- Post-infection checkin: wassuseidund.ru
The compromised WordPress site contained an injected script at b-r-u-n-o.it/studio/. The script was placed at the end of the page, typical for websites compromised by the EITest campaign. As you can see, the script will load the redirect to an EITest gate at:
The EITest gate at nyujuhu.ml then does a Flash check and redirects to uetql.gv198n.top in this case, which is the Neutrino EK domain.
Once at the Neutrino EK domain, there is another Flash load for humble-discuss-purple-adult-enemy-stop.swf. This is a Flash exploit from the EK.
Then finally, the encrypted payload is downloaded from the same domain. This will be decrypted as an executable file on the soon-to-be-infected host.
From here, the exploit kit has done its job and the remaining activity is based around the post-infection traffic. First, the post-infection traffic begins with a simple IP check to api.ipify.org. Keep in mind, this is not a malicious domain on its own. It's simply used for a connectivity/location check.
Then the malware begins beaconing outbound to its command and control (C2) infrastructure at wassuseidund.ru. With this sample, the beacons would continue to occur every two minutes. As you can see, it's posting the victim host information to the domain's gate.php page.
The C2 domain wassuseidund.ru is a compromised legitimate website selling honey based out of Republic of Mordovia, Russia.
SHA256 hash for the decrypted payload is 026e44cb2b4e166e2f8cca0e3acfcbbc175800d3c18d077d2b20ab14835ee733.
Thanks for reading! Please contact me through my Twitter account via tweet or direct message if you have any questions.
Click here to return to the main page.