Earlier this year, the malware authors behind the re-tweaked CryptXXX 3.1000 ransomware jumped from the Neutrino Exploit Kit over to the Angler Exploit Kit, choosing the latter as its distribution channel.
Researchers at the SANS Internet Storm Center first took notice of the change in June this year, at a time when the CryptXXX ransomware strain showed resurgence with a reinforced encryption algorithm. As ThreatPost notes, the SANS researchers also caught the switchover despite Neutrino not distributing CryptXXX at the time of discovery. The ransomware strain also came with a new credential-stealing module called StillerX, enabling attackers with more means to see ill-gotten gains.
“This is not the first time we’ve seen campaigns associated with ransomware switch between Angler EK and Neutrino EK,” said Brad Duncan, a handler at SANS. He also revealed that groups behind the development and deployment of Angler had made away with CryptXXX at the time.
Meanwhile, the Neutrino Exploit Kit is known for targeting the Java runtime environment, which could provide reasons as to why it took over the CryptXXX payload. The Neutrino EK also targets versions of Java, while the Angler EK sets out its targets between exploiting Flash Player vulnerabilities as well as Microsoft’s Silverlight plugin.
Soon enough, Duncan wrote about his observation of a pseudo-Darkleech campaign that began using the Neutrino Exploit Kit to disperse the CryptXXX ransomware, via a compromised website. This was discovered in tandem with another malicious campaign called EITest. Both campaigns were examples of the Neutrino EK triggered by the same website.
“I was able to generate traffic for each campaign, but I had to use two separate visits, because the pseudo-Darkleech script prevented the EITest script from generating any EK traffic,” wrote Duncan.
In the next blog, we will explain how the Neutrino exploit kit made its way to an even-wider, more-destructive distribution channel for the CryptXXX ransomware, with a botnet.
Image credit: Flickr.