2017-04-15 - EITEST CAMPAIGN RIG EK / HOEFLERTEXT CHROME POPUP

ASSOCIATED FILES:

  • 2017-04-15-EITest-HoeflerText-popup-sends-Spora-ransomware.pcap   (172,172 bytes)
  • 2017-04-15-EITest-Rig-EK-traffic.pcap   (11,548,802 bytes)
  • 2017-04-15-EITest-Rig-EK-flash-exploit.swf   (19,110 bytes)
  • 2017-04-15-EITest-Rig-EK-landing-page.txt   (117,714 bytes)
  • 2017-04-15-EITest-Rig-EK-payload-3v62anzt.exe   (208,896 bytes) -- I think this is Quant Loader
  • 2017-04-15-EITest-Rig-EK-post-infection-follow-up-malware.exe   (401,408 bytes)
  • 2017-04-15-Spora-ransomware-decryption-instructions.html   (12,326 bytes)
  • 2017-04-15-Spora-ransomware.exe   (102,400 bytes)
  • 2017-04-15-page-from-cardgameheaven.com-with-injected-EITest-script-for-HoeflerText.txt   (66,601 bytes)
  • 2017-04-15-page-from-cardgameheaven.com-with-injected-EITest-script-for-Rig-EK.txt   (19,988 bytes)

BACKGROUND ON THE EITEST CAMPAIGN:

NOTES:


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  EITest HoeflerText popup traffic when compromised site is viewed using Google Chrome.

 


Shown above:  EITest Rig EK traffic when compromised site is viewed using Internet Explorer.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

SPORA RANSOMWARE FROM HOEFLERTEXT POPUP:

ARTIFACTS FROM RIG EK:

 

IMAGES


Shown above:  When using Chrome, we see a HoeflerText popup from the compromised website.

 


Shown above:  Clicking the download link from HoeflerText popup.

 


Shown above:  Spora decryption site.

 


Shown above:  This time, Spora doesn't change the file extensions for the files it encryptes.

 


Shown above:  Using Internet Explorer, we find injected script from the EITest campaign in a page from the compromised website pointing to Rig EK.

 


Shown above:  Some of the post-infection traffic seen after the EITest Rig EK infection.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.