Anime site redirects to Neutrino exploit kit, CryptXXX ransomware

Neutrino exploit kit? Why not Angler or Nuclear? Oh yeah that’s right…

David bisson
David Bisson
@

Jkanime

Attackers injected a popular anime site with malicious code that redirected visitors to the Neutrino exploit kit and CryptXXX ransomware.

According to Nicholas Griffin, a senior security researcher at Forcepoint, the infection occurred on June 20th and affected Jkanime, an anime streaming site that typically receives 33 million visitors a month.

At this time, the malicious code appears to have been removed from the site.

Sign up to our free newsletter.
Security news, advice, and tips.

The script contained malicious JavaScript. Whenever a user visited Jkanime, the script automatically ran and loaded up its JS file, which redirected users to a landing page for the Neutrino exploit kit.

Gdsg8np

Code

Neutrino in turn dropped and executed version 3.0 of the CryptXXX ransomware onto visitors’ computers and demanded 1.2 Bitcoin (approximately US $888) in exchange for handing over the decryption key.

Originally discovered back in April, CryptXXX is a unique form of crypto-ransomware capable of stealing victims’ Bitcoins.

Researchers quickly developed a decryption tool for CryptXXX, which led the ransomware authors to update their creation with a lock screen that prevented users from completing a payment on an infected machine.

Once again, researchers created a decryption tool, and once again, the malware developers updated the ransomware, this time adding a module that allowed the ransomware to steal victims’ passwords.

Yhedz1n

CryptXXX used to be distributed only by Angler exploit kit. But that all changed in the beginning of June when Angler disappeared off of the radar of many prominent security researchers.

Nuclear, the second most-popular exploit kit, went offline earlier in the spring after the security firm CheckPoint published a detailed report that analyzed the EK’s infrastructure.

Clearly, the Neutrino exploit kit (among others) is still active, which is why users need to protect themselves against attacks.

To do so, users should implement security, browser and software updates as soon as they become available. They should also protect themselves against ransomware by exercising caution around suspicious links and attachments as well as frequently backing up their data.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.