An anime site popular in Mexico and South America was this week infected with malware redirecting visitors to a Neutrino Exploit Kit landing page.
The site, Jkanime, streams anime video and has 33 million monthly visitors.
Neutrino is currently the top dog among exploit kits after two of the bigger kits, Angler and Nuclear, have apparently been abandoned.
Researchers at Forcepoint, a Raytheon company, disclosed the attacks this week. Nicholas Griffin, senior security researcher said the payload is the CryptXXX 3.0 ransomware, which has mainly been distributed by Neutrino since Angler’s disappearance in late June.
Griffin said Jkanime was injected with script that includes a JavaScript file that loads an iFrame redirecting to the Neutrino landing page. He added that it does not appear the site is compromised any longer.
“If just 1% of the visitors to the site were infected over the course of the 2 days that we know the site was compromised for, then this would account for at least 20,000 malware infections,” Griffin said. “It is not guaranteed that CryptXXX would have been dropped for every infected user, but that is the primary malware being dropped by Neutrino EK at the present time.”
The same infection chain was also used in the Afraidgate campaign identified by Palo Alto Networks; gate domains in that campaign are hosted at afraid[.]org. The original Afraidgate campaigns used Angler to exploit vulnerabilities in browsers and third-party applications to deliver Bedep click-fraud malware.
Afraidgate has now moved over to Neutrino, which appears to be the successor to Angler.
Researchers who study exploit kits said traffic related to the Nuclear Exploit Kit disappeared in April after a research report from Check Point Software Technologies exposed the infrastructure supporting the kit, along with the exploits and vulnerabilities it targets, the control panel, master server, infection flow and internal logic.
Nuclear was primarily moving Locky ransomware, which earlier this year was responsible for infections at major health care organizations in the U.S., affecting patient care and access to patient information.
Angler’s disappearance, meanwhile, is being connected to 50 arrests made in Russia who were allegedly responsible for the creation and distribution of the Lurk malware. Angler-related traffic disappeared around the same time.
A Proofpoint report published this week said criminals running malvertising campaign have also moved operations to Neutrino along with CryptXXX distribution.
“By our estimates, Neutrino dropping CryptXXX [infections] accounts for as much as 75 percent of observed exploit kit traffic, and another 10 percent combined from Neutrino and Magnitude dropping Cerber ransomware,” the report says. “Most of the remaining 15 percent of EK traffic is RIG dropping a variety of payloads (banking Trojan, info stealers, loaders) on lower-value malvertising traffic, with various smaller EKs such as Sundown, Kaixin, Hunter and others making up the last 1 percent of total observed EK traffic.”
The CryptXXX infections stemming from Jkanime are demanding a ransom of 1.2 Bitcoin, approximately $900 USD. CryptXXX has overtaken Locky and other crypto-ransomware families. It was recently overhauled with a significant investment made in new encryption capabilities as well as the addition of a credential-stealing module called StillerX.
CryptXXX encrypts locally stored files as well as attached storage devices. The latest CryptXXX version, 3.1, scans port 445 for shared network resources and encrypts files stored there.