Some of the biggest companies in the world rely on Forcepoint security.

Close

Our Blog

Highly popular anime site Jkanime compromised - redirecting users to Neutrino EK

Share

Tuesday, Jun 21, 2016

On June 20, 2016 the popular anime site Jkanime was injected with malicious code that was silently redirecting users to Neutrino Exploit Kit (EK). During our analysis Neutrino EK dropped and executed the CryptXXX 3.0 crypto-ransomware, and we were requested to pay 1.2 BitCoin (approximately $888 USD) in order to get our files back.

Compromised Website

Jkanime is one of the most popular sites globally for streaming anime episodes online, receiving an estimated 33 million visitors per month. It is particularly popular in South America according to SimilarWeb.

The site itself has been injected with a script that includes another Javascript (JS) file.

This JS file then loads an iFrame to a Neutrino EK landing page.

This particular injection and redirection path is known as "AfraidGate" (aka "ScriptJS"). The actor behind AfraidGate typically used to redirect users to Angler EK, but since the recent demise of Angler the actor has switched to Neutrino.

The infection chain we analysed was as follows:

hxxp://jkanime[.]net/dragon-ball-super/48/ - Lure (Compromised Website)

--> hxxp://galop[.]serviciosgeologicos[.]com[.]ar/script/widget.js - Redirection (AfraidGate)

--> hxxp://gittinsburpingtonsmythe[.]morgansdecorators[.]com/1999/11/10/sniff/system/chase-twilight-decay-hungry.html - Exploit Kit (Neutrino)

CryptXXX Ransomware

When we analysed the infection chain on June 20, Neutrino dropped and executed the CryptXXX crypto-ransomware on our machine. This encrypted our files which were held to ransom at a price of 1.2 BTC (approximately $888 USD).

 

The CryptXXX sample we analysed which was dropped by Neutrino had a SHA1 of 25366d44c5df1e372a40c746d216bd1ccc52ac0f. This is CryptXXX U000011 version 3.201.

Protection Statement

Forcepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:

  • Stage 2 (Lure) - The injected code on the compromised site is detected and the site is blocked.
  • Stage 3 (Redirect) - The AfraidGate redirection is detected and blocked.
  • Stage 4 (Exploit Kit) - The Neutrino EK landing page is detected and blocked.

 

Summary

After the recent disappearance of Angler EK, actors are turning to the Neutrino EK to distribute their malware. Highly popular sites are no safe haven from malware and a frequently visited site is a lucrative target for an attacker. The use of crypto-ransomware shows no signs of slowing down as it provides criminals with large financial gains. As ever, users should ensure that their browsers and browser plug-ins are up to date.

About the Author

NG

Nicholas Griffin

Security Researcher