On June 20, 2016 the popular anime site Jkanime was injected with malicious code that was silently redirecting users to Neutrino Exploit Kit (EK). During our analysis Neutrino EK dropped and executed the CryptXXX 3.0 crypto-ransomware, and we were requested to pay 1.2 BitCoin (approximately $888 USD) in order to get our files back.
Jkanime is one of the most popular sites globally for streaming anime episodes online, receiving an estimated 33 million visitors per month. It is particularly popular in South America according to SimilarWeb.
This JS file then loads an iFrame to a Neutrino EK landing page.
This particular injection and redirection path is known as "AfraidGate" (aka "ScriptJS"). The actor behind AfraidGate typically used to redirect users to Angler EK, but since the recent demise of Angler the actor has switched to Neutrino.
The infection chain we analysed was as follows:
hxxp://jkanime[.]net/dragon-ball-super/48/ - Lure (Compromised Website)
--> hxxp://galop[.]serviciosgeologicos[.]com[.]ar/script/widget.js - Redirection (AfraidGate)
--> hxxp://gittinsburpingtonsmythe[.]morgansdecorators[.]com/1999/11/10/sniff/system/chase-twilight-decay-hungry.html - Exploit Kit (Neutrino)
When we analysed the infection chain on June 20, Neutrino dropped and executed the CryptXXX crypto-ransomware on our machine. This encrypted our files which were held to ransom at a price of 1.2 BTC (approximately $888 USD).
The CryptXXX sample we analysed which was dropped by Neutrino had a SHA1 of 25366d44c5df1e372a40c746d216bd1ccc52ac0f. This is CryptXXX U000011 version 3.201.
Forcepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:
- Stage 2 (Lure) - The injected code on the compromised site is detected and the site is blocked.
- Stage 3 (Redirect) - The AfraidGate redirection is detected and blocked.
- Stage 4 (Exploit Kit) - The Neutrino EK landing page is detected and blocked.
After the recent disappearance of Angler EK, actors are turning to the Neutrino EK to distribute their malware. Highly popular sites are no safe haven from malware and a frequently visited site is a lucrative target for an attacker. The use of crypto-ransomware shows no signs of slowing down as it provides criminals with large financial gains. As ever, users should ensure that their browsers and browser plug-ins are up to date.