Afraidgate: Major Exploit Kit Campaign Switches from CryptXXX Ransomware Back to Locky

Brad Duncan


By mid-July 2016, the Afraidgate campaign stopped distributing CryptXXX ransomware. It is now distributing the “.zepto” variant of Locky. Afraidgate has been using Neutrino exploit kit (EK) to distribute malware after Angler EK disappeared in early June 2016. As we previously reported, this campaign continues to utilize gate domains using name servers from afraid.org.

Changing Payloads

As early as June 29, 2016, we saw the Afraidgate campaign deliver Locky ransomware. This campaign switched between delivering CryptXXX and Locky ransomware during the next two weeks. July 11, 2016, was the last time we saw Afraidgate deliver CryptXXX. Since then, this campaign has been consistently delivering Locky.

Afraidgate-Locky 1

Figure 1: Flow chart for an infection from the Afraidgate campaign.

This variant of Locky uses a .zepto file extension for any encrypted files. We started seeing this Zepto variant of Locky after a three-week outage of the Necurs botnet ended on June 21, 2016. Locky had been absent during the outage, but after the botnet returned, Locky also reappeared with new anti-sandboxing and evasion techniques.

Some security vendors have named this new variant Zepto ransomware, but they still highlight its similarities with the previous Locky variant.

Afraidgate-Locky 2

Figure 2: Desktop of a Windows host infected with the Zepto variant of Locky.

From Angler EK to Neutrino

Like most campaigns, Afraidgate switched to Neutrino EK after Angler EK disappeared in early June 2016. We have seen two other large-scale campaigns also move from Angler to Neutrino EK: the EITest and pseudo-Darkleech campaigns. For now, Neutrino appears to be distributing the majority of ransomware for EK-based infections. Outliers still exist, like Magnitude EK distributing Cerber ransomware. Rig EK has also been noted for an occasional ransomware infection. But the bulk of EK-based ransomware infections are most often attributed to Neutrino EK.

Example of an Afraidgate Infection

Afraidgate-Locky 3

Figure 3: Traffic from an Afraidgate infection filtered in Wireshark.

As noted in our previous post on EK fundamentals, EK-based campaigns start with a compromised website. Pages from the compromised site have injected script that, in this case, lead to an Afraidgate domain behind the scenes.

Afraidgate-Locky 4

Figure 4: Injected script in page from a compromised website.

After the victim’s computer connects to the URL on an Afraidgate domain, the server returns more Javascript with an iframe leading to a Neutrino EK landing page.

Afraidgate-Locky 5

Figure 5: Afraidgate domain leading to the Neutrino EK landing page.

Neutrino EK domains for this campaign tend to use .top as the top level domain (TLD). Otherwise, we see no surprises. Neutrino is a well-known EK that has been documented by others.

Conclusion

Domains, IP addresses, and other indicators associated with Neutrino EK and Locky are constantly changing. We continue to investigate this activity for applicable indicators to inform the community and further enhance our threat prevention platform.

WildFire continues to detect submitted samples of Locky ransomware, and AutoFocus identifies this threat under the Unit 42 Locky tag.

Indicators of Compromise

So far in July 2016, we have seen the following indicators of compromise associated with the Afraidgate campaign:

Gates:

  • 46.101.26.161 port 80 – leon.stmaryschooldmt[.]com – GET /scripts/jquery.form.js
  • 46.101.26.161 port 80 – motor.atchisoncountyrecorder[.]com – GET /js/blog.js
  • 46.101.26.161 port 80 – motor.atchisoncountyrecorder[.]com – GET /scripts/custom.js
  • 46.101.26.161 port 80 – oskol.migustapizza.com[.]br – GET /gantry-totop.js
  • 46.101.26.161 port 80 – snow.blautechnology[.]com – GET /scripts/libs.js
  • 46.101.26.161 port 80 – start.puterasyawal[.]com – GET /js/addOnLoad.js
  • 188.166.38.125 port 80 – nepal.laderatutors[.]com – GET /rokmediaqueries.js
  • 188.166.38.125 port 80 – siber.activebeliever[.]com – GET /plugins/fancybox-for-wordpress/js/jquery.easing.1.3.min.js?ver=1.3
  • 188.166.38.125 port 80 – zine.polatoglumimarlik[.]com – GET /scripts/jquery.sliderkit.1.9.2.pack.js
  • 188.166.38.125 port 80 – zine.polatoglumimarlik[.]com – GET /html5shiv.js
  • 188.166.38.125 port 80 – zine.polatoglumimarlik[.]com – GET /to_top.js

Neutrino EK:

  • 5.2.72.236 port 80 – avukytj.oautumnyellow[.]top
  • 5.2.72.236 port 80 – azbepfasz.yintored[.]top
  • 5.2.72.236 port 80 – bkubf.bsuperpink[.]top
  • 5.2.72.114 port 80 – iynwzttqd.hautumngreen[.]top
  • 5.2.72.236 port 80 – mxoug.yintored[.]top
  • 5.2.72.236 port 80 – yegoxmvzpx.bsuperpink[.]top
  • 185.140.33.76 port 80 – erfxsnvj.mafterred[.]top
  • 185.140.33.76 port 80 – hxmst.rautumngreen[.]top
  • 185.140.33.99 port 80 – bkhrdfngwg.blueelizabeth[.]top
  • 185.140.33.99 port 80 – clfdkbl.bluechristian[.]top
  • 185.140.33.99 port 80 – drhffhveq.greenjessica[.]top
  • 185.140.33.99 port 80 – rklfdprel.blueelizabeth[.]top

Locky post-infection traffic:

  • 5.9.253.173 port 80 – 5.9.253.173 – POST /upload/_dispatch.php
  • 5.187.0.137 port 80 – 5.187.0.137 – POST /upload/_dispatch.php
  • 77.222.54.202 port 80 – 77.222.54.202 – POST /upload/_dispatch.php
  • 185.5.250.135 port 80 – 185.5.250.135 – POST /upload/_dispatch.php
  • 185.117.153.176 port 80 – 185.117.153.176 – POST /upload/_dispatch.php
  • 185.118.66.83 port 80 – 185.118.66.83 – POST /upload/_dispatch.php

Domains from the decryption instructions:

  • mphtadhci5mrdlju.tor2web[.]org
  • mphtadhci5mrdlju.onion[.]to
  • zjfq4lnfbs7pncr5.tor2web[.]org
  • zjfq4lnfbs7pncr5.onion[.]to

2 Reader Comments

  1. ƒleon.stmaryschooldmt[.]com is not a valid domain name.

    As per RFC 3490, non-ASCII characters in domain names must be encoded using IDNA, which would yield xn--leon.stmaryschooldmt[.]com-zuf.

    It’s not clear from this report if the ƒ is merely a stray character or if the intended indicator of compromise should actually be xn--leon.stmaryschooldmt[.]com-zuf.

  2. Brad Duncan

    Thanks for the info! That ƒ should not be in there at all. We’ll get that fixed. The domain is leon.stmaryschooldmt[.]com. Thanks again.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS