Last Updated: 2016-07-06 18:54:06 UTC
by Brad Duncan (Version: 1)
When generating exploit kit (EK) traffic earlier today, I noticed a change in post-infection activity on a Windows host infected with CryptXXX ransomware. This happened after an infection caused by Neutrino EK triggered from the pseudoDarkleech campaign.
This morning, the decryption instructions for CryptXXX ransomware looked different. A closer examination indicates CryptXXX has been updated. As I write this, I haven't found anything online yet describing these recent changes, so this diary takes a quick look at the traffic.
Today's EK traffic was on 18.104.22.168 using the same domain shadowing technique we've seen before from various campaigns using Neutrino EK (formerly using Angler EK [1, 2, 3] before Angler disappeared). Post-infection traffic was over 22.214.171.124 on TCP port 443 using custom encoding, a method CryptXXX has used since it first appeared earlier this year .
Below are some screenshots of the Neutrino EK traffic.
In a change of behavior, text and HTML files for the CryptXXX decryption instructions are downloaded in the clear during the post-infection traffic.
Below are two screenshots with HTML decryption instructions from the infected Windows host's desktop.
Although I haven't noticed anything yet, I'm sure some of the usual sources will have a more in-depth article on these recent changes in CryptXXX ransomware. This diary is just meant to give everyone a heads-up.
Pcap and malware for this diary are located here.
brad [at] malware-traffic-analysis.net