This post is also available in: 日本語 (Japanese)
By mid-July 2016, the Afraidgate campaign stopped distributing CryptXXX ransomware. It is now distributing the ".zepto" variant of Locky. Afraidgate has been using Neutrino exploit kit (EK) to distribute malware after Angler EK disappeared in early June 2016. As we previously reported, this campaign continues to utilize gate domains using name servers from afraid.org.
As early as June 29, 2016, we saw the Afraidgate campaign deliver Locky ransomware. This campaign switched between delivering CryptXXX and Locky ransomware during the next two weeks. July 11, 2016, was the last time we saw Afraidgate deliver CryptXXX. Since then, this campaign has been consistently delivering Locky.
Figure 1: Flow chart for an infection from the Afraidgate campaign.
This variant of Locky uses a .zepto file extension for any encrypted files. We started seeing this Zepto variant of Locky after a three-week outage of the Necurs botnet ended on June 21, 2016. Locky had been absent during the outage, but after the botnet returned, Locky also reappeared with new anti-sandboxing and evasion techniques.
Some security vendors have named this new variant Zepto ransomware, but they still highlight its similarities with the previous Locky variant.
Figure 2: Desktop of a Windows host infected with the Zepto variant of Locky.
From Angler EK to Neutrino
Like most campaigns, Afraidgate switched to Neutrino EK after Angler EK disappeared in early June 2016. We have seen two other large-scale campaigns also move from Angler to Neutrino EK: the EITest and pseudo-Darkleech campaigns. For now, Neutrino appears to be distributing the majority of ransomware for EK-based infections. Outliers still exist, like Magnitude EK distributing Cerber ransomware. Rig EK has also been noted for an occasional ransomware infection. But the bulk of EK-based ransomware infections are most often attributed to Neutrino EK.
Example of an Afraidgate Infection
Figure 3: Traffic from an Afraidgate infection filtered in Wireshark.
As noted in our previous post on EK fundamentals, EK-based campaigns start with a compromised website. Pages from the compromised site have injected script that, in this case, lead to an Afraidgate domain behind the scenes.
Figure 4: Injected script in page from a compromised website.
Figure 5: Afraidgate domain leading to the Neutrino EK landing page.
Domains, IP addresses, and other indicators associated with Neutrino EK and Locky are constantly changing. We continue to investigate this activity for applicable indicators to inform the community and further enhance our threat prevention platform.
WildFire continues to detect submitted samples of Locky ransomware, and AutoFocus identifies this threat under the Unit 42 Locky tag.
Indicators of Compromise
So far in July 2016, we have seen the following indicators of compromise associated with the Afraidgate campaign:
- 184.108.40.206 port 80 - leon.stmaryschooldmt[.]com - GET /scripts/jquery.form.js
- 220.127.116.11 port 80 - motor.atchisoncountyrecorder[.]com - GET /js/blog.js
- 18.104.22.168 port 80 - motor.atchisoncountyrecorder[.]com - GET /scripts/custom.js
- 22.214.171.124 port 80 - oskol.migustapizza.com[.]br - GET /gantry-totop.js
- 126.96.36.199 port 80 - snow.blautechnology[.]com - GET /scripts/libs.js
- 188.8.131.52 port 80 - start.puterasyawal[.]com - GET /js/addOnLoad.js
- 184.108.40.206 port 80 - nepal.laderatutors[.]com - GET /rokmediaqueries.js
- 220.127.116.11 port 80 - siber.activebeliever[.]com - GET /plugins/fancybox-for-wordpress/js/jquery.easing.1.3.min.js?ver=1.3
- 18.104.22.168 port 80 - zine.polatoglumimarlik[.]com - GET /scripts/jquery.sliderkit.1.9.2.pack.js
- 22.214.171.124 port 80 - zine.polatoglumimarlik[.]com - GET /html5shiv.js
- 126.96.36.199 port 80 - zine.polatoglumimarlik[.]com - GET /to_top.js
- 188.8.131.52 port 80 - avukytj.oautumnyellow[.]top
- 184.108.40.206 port 80 - azbepfasz.yintored[.]top
- 220.127.116.11 port 80 - bkubf.bsuperpink[.]top
- 18.104.22.168 port 80 - iynwzttqd.hautumngreen[.]top
- 22.214.171.124 port 80 - mxoug.yintored[.]top
- 126.96.36.199 port 80 - yegoxmvzpx.bsuperpink[.]top
- 188.8.131.52 port 80 - erfxsnvj.mafterred[.]top
- 184.108.40.206 port 80 - hxmst.rautumngreen[.]top
- 220.127.116.11 port 80 - bkhrdfngwg.blueelizabeth[.]top
- 18.104.22.168 port 80 - clfdkbl.bluechristian[.]top
- 22.214.171.124 port 80 - drhffhveq.greenjessica[.]top
- 126.96.36.199 port 80 - rklfdprel.blueelizabeth[.]top
Locky post-infection traffic:
- 188.8.131.52 port 80 - 184.108.40.206 - POST /upload/_dispatch.php
- 220.127.116.11 port 80 - 18.104.22.168 - POST /upload/_dispatch.php
- 22.214.171.124 port 80 - 126.96.36.199 - POST /upload/_dispatch.php
- 188.8.131.52 port 80 - 184.108.40.206 - POST /upload/_dispatch.php
- 220.127.116.11 port 80 - 18.104.22.168 - POST /upload/_dispatch.php
- 22.214.171.124 port 80 - 126.96.36.199 - POST /upload/_dispatch.php
Domains from the decryption instructions: