Attackers injected a popular anime site with malicious code that redirected visitors to the Neutrino exploit kit and CryptXXX ransomware.
According to Nicholas Griffin, a senior security researcher at Forcepoint, the infection occurred on June 20th and affected Jkanime, an anime streaming site that typically receives 33 million visitors a month.
At this time, the malicious code appears to have been removed from the site.
The script contained malicious JavaScript. Whenever a user visited Jkanime, the script automatically ran and loaded up its JS file, which redirected users to a landing page for the Neutrino exploit kit.
Neutrino in turn dropped and executed version 3.0 of the CryptXXX ransomware onto visitors’ computers and demanded 1.2 Bitcoin (approximately US $888) in exchange for handing over the decryption key.
Originally discovered back in April, CryptXXX is a unique form of crypto-ransomware capable of stealing victims’ Bitcoins.
Researchers quickly developed a decryption tool for CryptXXX, which led the ransomware authors to update their creation with a lock screen that prevented users from completing a payment on an infected machine.
Once again, researchers created a decryption tool, and once again, the malware developers updated the ransomware, this time adding a module that allowed the ransomware to steal victims’ passwords.
CryptXXX used to be distributed only by Angler exploit kit. But that all changed in the beginning of June when Angler disappeared off of the radar of many prominent security researchers.
Nuclear, the second most-popular exploit kit, went offline earlier in the spring after the security firm CheckPoint published a detailed report that analyzed the EK’s infrastructure.
Clearly, the Neutrino exploit kit (among others) is still active, which is why users need to protect themselves against attacks.
To do so, users should implement security, browser and software updates as soon as they become available. They should also protect themselves against ransomware by exercising caution around suspicious links and attachments as well as frequently backing up their data.