CryptXXX Ransomware Jumps From Angler to Neutrino Exploit Kit

Internet Storm Center researchers spot more distribution changes for CryptXXX ransomware.

Crooks behind the revamped CryptXXX 3.100 ransomware have switched its distribution from the Angler Exploit Kit to the Neutrino Exploit Kit. The sudden change in distribution was spotted on Monday by researchers at the SANS Internet Storm Center.

“This is not the first time we’ve seen campaigns associated with ransomware switch between Angler EK and Neutrino EK,” wrote Brad Duncan, handler at SANS Internet Storm Center. But he said the switch was noteworthy because SANS had not yet seen CryptXXX distributed by Neutrino.

The move comes as security experts report a resurgence of the CryptXXX ransomware that was recently revamped with new encryption algorithm and a new StillerX credential-stealing module that gives attackers additional capabilities to monetize an attack.

Duncan said groups behind Angler have dropped CryptXXX like a rock, for now. Over the past few days, he hasn’t tracked any Angler samples that contain the CryptXXX payload.

The Neutrino EK is characterized by its targeting of the Java runtime environment including versions of Java. “Last month, Neutrino EK was documented using Flash exploits based on CVE-2016-4117 effective against Adobe Flash Player up to version 21.0.0.213,” Duncan wrote.

The Angler EK typically seeks to attack computers by exploiting Java and Flash Player vulnerabilities as well as the Microsoft Silverlight plugin.

According to Duncan, on Monday he observed the pseudo-Darkleech campaign began using Neutrino EK to send CryptXXX ransomware. On Tuesday, Duncan reported an even more virulent form of the attacks, finding a website with an injected script for both the pseudo-Darkleech campaign and the EITest campaign. In both instances, infected sites were distributing the CryptXXX ransomware as a DLL file named either 2016-06-07-EITest-Neutrino-EK-payload-CryptXXX.dll or 2016-06-07-pseudoDarkleech-Neutrino-EK-payload-CryptXXX.dll.

“I was able to generate traffic for each campaign, but I had to use two separate visits, because the pseudo-Darkleech script prevented the EITest script from generating any EK traffic,” Duncan wrote in a technical write-up of his findings.

Duncan said while Neutrino EK traffic patterns have remained consistent, the only change of note is now the EK sticks to TCP port 80.

Suggested articles

Inside the RIG Exploit Kit

In a deep analysis of RIG, Cisco Talos team outlined the way the exploit kit combines different web technologies such as DoSWF, JavaScript, Flash and VBscript to obfuscate attacks.