2016-07-01 - NEUTRINO EK AND "REALSTATISTICS" GATE CHANGE

NOTES:

• Since yesterday (2016-06-30), it looks like the "realstatistics" gate leading to Neutrino EK has changed from realstatistics.info to realstatistics.pro.  See below for details.
• Background on the pseudoDarkleech campaign is available here.
• Of note, there is some significant packet loss in the first pseudoDarkleech pcap for today's blog.

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-07-01-all-three-pcaps.zip   1.7 MB (1,697,782 bytes)

• 2016-07-01-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-after-gennaroespositomilano.it.pcap   (715,824 bytes)
• 2016-07-01-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-second-example.pcap   (1,136,508 bytes)
• 2016-07-01-realstatistics-gate-traffic-after-tne.mx.pcap   (6,655 bytes)

ZIP archive of the malware/artifacts:  2016-07-01-pseudoDarkleech-Neutrino-EK-malware-and-artifacts.zip   845.3 kB (845,257 bytes)

• 2016-07-01-page-from-gennaroespositomilano.it-with-injected-pseudoDarkleech-script.txt   (15,990 bytes)
• 2016-07-01-pseudoDarkleech-CryptXXX-decrypt-instructions.bmp   (3,686,454 bytes)
• 2016-07-01-pseudoDarkleech-CryptXXX-decrypt-instructions.html   (36,201 bytes)
• 2016-07-01-pseudoDarkleech-CryptXXX-decrypt-instructions.txt   (1,755 bytes)
• 2016-07-01-pseudoDarkleech-Neutrino-EK-flash-exploit-after-gennaroespositomilano.it.swf   (86,405 bytes)
• 2016-07-01-pseudoDarkleech-Neutrino-EK-flash-exploit-second-example.swf   (85,196 bytes)
• 2016-07-01-pseudoDarkleech-Neutrino-EK-landing-page-after-gennaroespositomilano.it.txt   (1,025 bytes)
• 2016-07-01-pseudoDarkleech-Neutrino-EK-landing-page-second-example.txt   (1,105 bytes)
• 2016-07-01-pseudoDarkleech-Neutrino-EK-payload-CryptXXX-after-gennaroespositomilano.it.dll   (458,752 bytes)
• 2016-07-01-pseudoDarkleech-Neutrino-EK-payload-CryptXXX-second-example.dll   (368,640 bytes)

 

TRAFFIC

ASSOCIATED DOMAINS:

• tne.mx - compromised site with injected script pointing to a "realstatistics" gate
• 5.199.130.155 port 80 - realstatistics.pro - GET /js/analytics.php?id=123 - "realstatistics" gate

• www.gennaroespositomilano.it - compromised site with injected script from the pseudoDarkleech campaign
• 69.162.100.198 port 80 - koushuu.lumenmaster.co.uk - Neutrino EK
• 185.49.68.215 port 443 - CryptXXX callback traffic

• [information removed] - another compromised site with injected script from the pseudoDarkleech campaign
• 85.25.160.174 port 80 - personssastucieuses.maharajatandoori.net - Neutrino EK
• 185.49.68.215 port 443 - CryptXXX callback traffic

 

FILE HASHES

FLASH EXPLOITS:

• SHA256 hash:  8417423f6519a42ca114d974d86d30f5262c26eb4ecee76b424e05c6418c1b73
  File name:  2016-07-01-pseudoDarkleech-Neutrino-EK-flash-exploit-after-gennaroespositomilano.it.swf

• SHA256 hash:  711298374c87bfbf19d3cbefcd24415978fbc914dba411a80911438831374eca
  File name:  2016-07-01-pseudoDarkleech-Neutrino-EK-flash-exploit-second-example.swf

 

MALWARE PAYLOADS:

• SHA256 hash:  cbe0262667f1bc96489641bd96c2fd704085555f90aab44132d8c0dfe54da8ca
  File name:  2016-07-01-pseudoDarkleech-Neutrino-EK-payload-CryptXXX-after-gennaroespositomilano.it.dll

• SHA256 hash:  39ed07e5b0e326bd49402ed12b702756640477b43f76da6b21e6c2a314c086f8
  File name:  2016-07-01-pseudoDarkleech-Neutrino-EK-payload-CryptXXX-second-example.dll

 

IMAGES

Shown above:  Injected script pointing to the "realstatistics" gate from a compromised website yesterday.

 

Shown above:  Injected script from the same site pointing to a different "realstatistics" gate today.

 

Shown above:  As you can see, the new "realstatistics" domain is using a different IP address and a slightly different URL.

 

Shown above:  Unfortunately, I haven't been able to get past this new gate.  The iframe looks like it's using a placeholder.

 

Shown above:  Neutrino EK and CryptXXX ransomware traffic kicked off by viewing gennaroespositomilano.it.

 

Shown above:  Injected pseudoDarkleech script in a page from a second compromised site.

 

Shown above:  Neutrino EK and CryptXXX ransomware traffic kicked off by viewing the second compromised site.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-07-01-all-three-pcaps.zip   1.7 MB (1,697,782 bytes)
• ZIP archive of the malware/artifacts:  2016-07-01-pseudoDarkleech-Neutrino-EK-malware-and-artifacts.zip   845.3 kB (845,257 bytes)

The ZIP file is password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.