Introduction When generating exploit kit (EK) traffic earlier today, I noticed a change in post-infection activity on a Windows host infected with CryptXXX ransomware. This happened after an infection caused by Neutrino EK triggered from the pseudoDarkleech campaign.
This morning, the decryption instructions for CryptXXX ransomware looked different. A closer examination indicates CryptXXX has been updated. As I write this, I haven't found anything online yet describing these recent changes, so this diary takes a quick look at the traffic.
Details Today's EK traffic was on 198.71.54.211 using the same domain shadowing technique we've seen before from various campaigns using Neutrino EK (formerly using Angler EK [1, 2, 3] before Angler disappeared). Post-infection traffic was over 91.220.131.147 on TCP port 443 using custom encoding, a method CryptXXX has used since it first appeared earlier this year [4].
Below are some screenshots of the Neutrino EK traffic.
In a change of behavior, text and HTML files for the CryptXXX decryption instructions are downloaded in the clear during the post-infection traffic.
I used my Security Onion setup to see what Snort-based alerts triggered. Looks like the EmergingThreats team already has a signature covering the new CryptXXX post-infection traffic.
Below are two screenshots with HTML decryption instructions from the infected Windows host's desktop. Final words Although I haven't noticed anything yet, I'm sure some of the usual sources will have a more in-depth article on these recent changes in CryptXXX ransomware. This diary is just meant to give everyone a heads-up. Pcap and malware for this diary are located here. --- References: [1] http://blogs.cisco.com/security/talos/angler-domain-shadowing |
Brad 431 Posts ISC Handler Jul 6th 2016 |
Thread locked Subscribe |
Jul 6th 2016 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!