In mid-April 2016, a campaign using Nuclear Exploit Kit (EK) to distribute Locky ransomware switched to using the Angler EK to install CryptXXX ransomware. This campaign uses gates registered through FreeDNS at afraid.org. We are calling this the Afraidgate campaign. Although we continue to see Locky distributed through malicious spam, we have not noticed Locky from EK traffic since mid-April.
An Evolving Campaign
In March 2016, we observed Nuclear EK from the Afraidgate campaign spreading Locky ransomware. A consistent gate pattern in the infection chain pointed to the same campaign using Neutrino EK the previous month. Now this campaign points to Angler EK. Also with the change in EKs, the malware has switched from Locky to CryptXXX. Both of these malware families employ the ransomware business model, in which they encrypt a user’s files and demand a ransom in return for the decryption keys. The following chart illustrates the changes in this particular campaign:
Figure 1: Changes in EK and payload from the Afraidgate campaign.
The Angler/Bedep/CryptXXX Combo
In mid-April 2016, the pseudo-Darkleech campaign started delivering CryptXXX through Bedep from Angler EK. The same Angler EK/Bedep/CryptXXX combination has spread to the Afraidgate campaign, replacing Nuclear EK traffic used to deliver Locky.
Angler EK is a bit more advanced than Nuclear EK. Angler uses new exploits, usually before these exploits have made their way into Nuclear EK. When sending Bedep, Angler uses a“fileless” infection technique originally implemented in 2014. Bedep is installed without creating any files because it is loaded directly into memory by the exploit shellcode.
Bedep is a file downloader that infects the host with other malware. In addition to CryptXXX, Bedep also installs click-fraud malware. Recent updates to Bedep make it harder to use virtual machines (VMs) to investigate this malware. Bedep acts differently if it detects a VM. It will not download CryptXXX, and post-infection click-fraud traffic is different than seen from a normal physical host.
Figure 2: VM infection shows different post-infection traffic than the other examples here.
Three examples of Angler/Bedep/CryptXXX infection traffic from the Afraidgate campaign are shown below.
Figure 3: Gate on 220.127.116.11 leads to Angler EK/Bedep/CryptXXX on Friday 2016-04-22.
Figure 4: Similar gate on 18.104.22.168 leads to more Angler EK traffic on Monday 2016-04-25.
Figure 5: Similar gate on 22.214.171.124 leads to more Angler EK on Tuesday 2016-04-26.
CryptXXX is now the default ransomware deployed in at least two major EK campaigns and should be considered a growing cybersecurity threat.
Domains, IP addresses, and other indicators associated with Angler EK, Bedep, and CryptXXX are constantly changing. We continue to investigate this activity for applicable indicators to inform the community and further enhance our threat prevention platform.
WildFire continues to detect submitted .dll samples of CryptXXX ransomware, and AutoFocus identifies this threat under the Unit 42 CryptXXX tag.
Indicators of Compromise
As of Tuesday 2016-04-26, we have seen the following indicators of compromise associated with this campaign:
Gates used in this campaign:
- 126.96.36.199 port 80 – host.vivialvarez.com[.]ar – GET /widget.js
- 188.8.131.52 port 80 – kw.projetoraizes.com[.]br – GET /js/script.js
- 184.108.40.206 port 80 – net.jacquieleebrasil.com[.]br – GET /js/script.js
- 220.127.116.11 port 80 – bintiye.helpthevets[.]org
- 18.104.22.168 port 80 – mcimaildmz.dinnerplate.co[.]uk
- 22.214.171.124 port 80 – candidulumbestuurlijk.newlandsierrarealestate[.]com
- 126.96.36.199 port 80 – frageboegen-plletyksin.breastcanceroutreach[.]com
- 188.8.131.52 port 80 – reikleivn-azarashi.orlandohomesbydevito[.]com
- 184.108.40.206 port 80 – litigators.esteroscreen[.]com
Bedep post-infection traffic:
- 220.127.116.11 port 80 – qrwzoxcjatynejejsz[.]com
- 18.104.22.168 port 80 – yfczmludodohkdqnij[.]com (using a VM)
- 22.214.171.124 port 80 – ranetardinghap[.]com
- 126.96.36.199 port 80 – cetinhechinhis[.]com
- 188.8.131.52 port 80 – tedgeroatref[.]com
- 184.108.40.206 port 80 – rerobloketbo[.]com
- 220.127.116.11 port 80 – tonthishessici[.]com
- 18.104.22.168 port 80 – allofuslikesforums[.]com
- 22.214.171.124 port 80 – oqpwldjc.mjobrkn3[.]eu (using a VM)
CryptXXX post-infection traffic:
- 126.96.36.199 port 443 (custom encoding)
[Palo Alto Networks Research Center]