Hackers shift to Neutrino exploit kit to spread CryptXXX ransomware
Change of tactics from cyber-criminals may be an attempt to bypass signature detection and improve infection performance.
The criminal gang behind the enhanced CryptXXX ransomware have moved away from using the Angler exploit kit to the Neutrino EK.
Researchers from SANS said that pseudo-Darkleech campaign began using Neutrino exploit kit (EK) to send CryptXXX ransomware this Monday. The researchers noted that up to this point the ransomware was only distributed using Angler.
In a blog post, Brad Duncan, a handler and researcher at the SANS Internet Storm Center, said that while a malware campaign switching exploit kits was nothing new, this was the first time he has witnessed CryptXXX distributed by Neutrino.
“This can be confusing, especially if you're expecting Angler EK. Campaigns can (and occasionally do) switch EKs,” he said.
On Tuesday this week, he found a compromised website with injected script from two different campaigns: pseudo-Darkleech and EITest. On that day, both campaigns were distributing CryptXXX ransomware and in both cases, Neutrino EK delivered CryptXXX ransomware as a DLL file.
CryptXXX will have different domains in the decryption instructions depending on the campaign it came from, said Duncan.
“Although CryptXXX samples from a specific campaign are changed or updated as the day progresses, they will always be different from CryptXXX samples from another campaign during the same timeframe,” he said. “Checking the traffic on Security Onion using Suricata and the ETPro ruleset, I found the usual alerts for Neutrino EK traffic and CryptXXX callback after the initial infection.”
Why the hackers have changed tactics is anyone's guess. Angler samples containing CryptXXX haven't been detected in several days.
He said that people can protect themselves from Neutrino EK by following best security practices (up-to-date applications, latest OS patches, software restriction policies, etc.)
Gunter Ollmann, CSO at Vectra Networks, told SCMagazineUK.com that the change of exploit kit is likely driven by infection performance – which would support the idea that additional AV products would be less capable of detecting the threat.
“Anti-malware technologies that use static signatures will likely be slow to react to the change of threat vector and distribution – which is why behavioural-based detection and machine learning approaches perform better at detection of this class of threat,” he said.
Oliver Pinson-Roxburgh, SE director EMEA at Alert Logic, told SC that organisations should not rely on just one technology to protect against this threat.
“Defence in depth is key. What one solution does not protect you from, the next might. Partner with researchers; ever evolving attacks means the vendors struggle to keep up without manual intervention and many organisations lack the expertise to hunt for this activity or tune systems to keep themselves protected,” he said.