 All Blogs

 Insights Blog

 Security Labs Blog

 Press Releases

Security Labs
HomeSecurity LabsHighly Popular Anime Site Jkanime Compromised - Redirecting Users To

Neutrino EK

HIGHLY POPULAR ANIME SITE JKANIME

COMPROMISED - REDIRECTING USERS
TO NEUTRINO EK
Posted by Nicholas Griffin on June 21, 2016

On June 20, 2016 the popular anime site Jkanime was injected with
malicious code that was silently redirecting users to Neutrino Exploit Kit
(EK). During our analysis Neutrino EK dropped and executed the CryptXXX
3.0 crypto-ransomware, and we were requested to pay 1.2 BitCoin
(approximately $888 USD) in order to get our files back.
COMPROMISED WEBSITE
Jkanime is one of the most popular sites globally for streaming anime
episodes online, receiving an estimated 33 million visitors per month. It is
particularly popular in South America according to SimilarWeb.
The site itself has been injected with a script that includes another Javascript
(JS) file.

This JS file then loads an iFrame to a Neutrino EK landing page.

This particular injection and redirection path is known as "AfraidGate" (aka

"ScriptJS"). The actor behind AfraidGate typically used to redirect users to
Angler EK, but since the recent demise of Angler the actor has switched to
Neutrino.

The infection chain we analysed was as follows:

hxxp://jkanime[.]net/dragon-ball-super/48/ - Lure (Compromised Website)

--> hxxp://galop[.]serviciosgeologicos[.]com[.]ar/script/widget.js
- Redirection (AfraidGate)
--
> hxxp://gittinsburpingtonsmythe[.]morgansdecorators[.]com/1999/11/10/sniff
/system/chase-twilight-decay-hungry.html - Exploit Kit (Neutrino)