TeslaCrypt Ransomware Arrives via Neutrino Exploit Kit

This post was written by Sriram P. and Varadharajan Krishnasamy.

TeslaCrypt is a ransomware family that encrypts files and extorts money from its victims to decrypt the files. Similar to other ransomware variants, TeslaCrypt propagates through a wide range of spam campaigns and is also downloaded with the help of other malware:

  • W97M/Downloader
  • JS/Nemucod
  • Angler exploit kit
  • Neutrino exploit kit
  • Generic downloaders

Last week, McAfee observed a novel approach in downloading TeslaCrypt using the Neutrino exploit kit.

Like other exploit kits, Neutrino redirects users to a malicious landing page that hosts exploit files targeting various vulnerabilities. The redirector link may arrive via email as part of spam campaign.

Once successful, the exploit kit delivers a Trojan downloader and executes it on the victim’s machine. The payload then starts generating random domain names and contacts a remote server with the following parameters.


The variable “_wv=” is assigned to the Base64 text string “ZW50ZXI=” which decodes to the command “enter.”

The server responds with a 404 error page. The response for the command “enter” is present in the comments section of the HTML page, which is again a Base64-encoded (<!—c3VjY2Vzcw==—>) text that decodes to the response “success.”


Upon receiving the success message, the malware responds with the same cookie-auth browser agent, along with a reply containing an encoded data.


The encoded data has the following format:

cmd&<GUID of Machine >&<Logged-in Username: System Name: Domain Name>&<Windows Version and Platform> &<AV product Info>&<Date and Time of Execution>

The compromised machine receives another 404 error page along with a download link that delivers a TeslaCrypt variant from the remote server.


The decoded comments section has the following format:

<random ldap timestamp>#<>#<>#LOADER hxxp://103.*****.148/*****.exe#

After successful execution, TeslaCrypt encrypts files in the victim’s machine and demands money to decrypt them.

We have seen the following domain names associated with this malware:

  • nutqauytva100azxd.com
  • nutqauytva11azxd.com
  • nutqauytva513xyzf11zzzzz0.com
  • nutr3inomiranda1.com
  • nutqauytva9azxd.com

These domains are already flagged by McAfee SiteAdvisor as malicious.


How to prevent this infection:

  • In spite of the availability of patches for known vulnerabilities such as CVE-2015-2419, CVE-2015-7645, and others, this exploit kit still targets these weaknesses. McAfee recommends users install the latest patches for Internet Explorer, Adobe Flash, etc.
  • We advise all users to be extra careful when opening unsolicited emails and clicking unknown links.
  • We strongly advise all users to block the preceding domain names.

McAfee products detect these TeslaCrypt variants as “Ransom-Tescrypt!<Partial hash>.”



Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.


More from McAfee Labs

Back to top