Researchers from SANS Internet Storm Center reported that the developers of CryptXXX 3.100 ransomware have switched its distribution from the Angler Exploit Kit to the Neutrino Exploit Kit.
“This is not the first time we’ve seen campaigns associated with ransomware switch between Angler EK and Neutrino EK,” wrote Brad Duncan, handler at SANS Internet Storm Center. According to Duncan, the switch was noteworthy because SANS had not yet seen CryptXXX distributed by Neutrino.
The switch comes as security experts report a resurgence of the CryptXXX ransomware which was recently revamped with new encryption algorithm and a new StillerX credential-stealing module that gives hackers additional capabilities to monetize an attack. Brad Duncan also stated that for now, the gangs behind Angler have dropped CryptXXX like a rock. During the past days, he hasn’t tracked any Angler samples that contain the CryptXXX payload.
Neutrino EK is characterized by its targeting of the Java runtime environment including versions of Java.
“Last month, Neutrino EK was documented using Flash exploits based on CVE-2016-4117 effective against Adobe Flash Player up to version 220.127.116.11,” Duncan said.
Usually, Angler EK seeks to attack computers by exploiting Java and Flash Player vulnerabilities as well as the Microsoft Silverlight plugin. Duncan also said that on Monday, the pseudo-Darkleech campaign began using Neutrino EK to send CryptXXX ransomware.
On Tuesday, the researcher reported an even more virulent form of the attacks, finding a website with an injected script for both the pseudo-Darkleech campaign and the EITest campaign. In both instances, infected sites were distributing the CryptXXX ransomware as a DLL file named either 2016-06-07-EITest-Neutrino-EK-payload-CryptXXX.dll or 2016-06-07-pseudoDarkleech-Neutrino-EK-payload-CryptXXX.dll.
“I was able to generate traffic for each campaign, but I had to use two separate visits, because the pseudo-Darkleech script prevented the EITest script from generating any EK traffic,” Duncan wrote in a technical write-up of his findings. Duncan said while Neutrino EK traffic patterns have remained consistent, the only change of note is now the EK sticks to TCP port 80.