2017-04-20 - EITEST CAMPAIGN: RIG EK OR HOEFLERTEXT CHROME POPUP

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-04-20-EITest-campaign-2-pcaps.zip   708.5 kB (708,514 bytes)

• 2017-04-20-EITest-HoeflerText-popup-sends-Spora-ransomware.pcap   (229,225 bytes)
• 2017-04-20-EITest-Rig-EK-sends-Quant-Loader.pcap   (826,888 bytes)

• 2017-04-20-EITest-malware-and-artifacts.zip   561.0 kB (561,039 bytes)

• 2017-04-20-EITest-Rig-EK-payload-Quant-Loader.exe   (286,720 bytes)
• 2017-04-20-EITest-Rig-EK-post-infection-follow-up-malware-ZLoader-DELoader.exe   (344,064 bytes)
• 2017-04-20-EITest-Spora-ransomware-from-HoflerText-popup.exe   (114,688 bytes)
• 2017-04-20-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
• 2017-04-20-Rig-EK-flash-exploit.swf   (18,245 bytes)
• 2017-04-20-Rig-EK-landing-page.txt   (1178,25 bytes)
• 2017-04-20-Spora-ransomware-decryption-instructions.html   (12,321 bytes)
• 2017-04-20-page-from-saywitzproperties.com-with-injected-EITest-script-for-HoeflerText-popup.txt   (104,439 bytes)
• 2017-04-20-page-from-saywitzproperties.com-with-injected-EITest-script-for-Rig-EK.txt   (57,513 bytes)

BACKGROUND ON THE EITEST CAMPAIGN:

• Although the EITest campaign uses exploit kits (EKs), it also has had HoeflerText popups since January 2017.
• Kafeine wrote about these HoeflerText popups for Proofpoint's Threat Insight Blog.  His write-up is here.
• My most recent write-up on the EITest campaign using Rig EK can be found here.
• The flowchart below should explain the current chain of events for EITest.

NOTES:

• As always, thanks to everyone who tweets about the compromised sites they find.
• Today's site was tweeted by @thlnk3r, and you can see the original threat here.
• It's been about a week now that EITest has been pushing Quant Loader, which in turn downloads ZLoader/DELoader (over and over and over again).

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  EITest HoeflerText popup traffic when compromised site is viewed using Google Chrome.

 

Shown above:  EITest Rig EK traffic when compromised site is viewed using Internet Explorer.

 

Shown above:  Post-infection traffic after Rig EK sends Quant Loader as its payload.

 

ASSOCIATED DOMAINS:

• saywitzproperties[.]com - compromised site (viewed in Google Chrome)
• 207.62.63[.]149 port 80 - clinicalpsychology.psiedu.ubbcluj[.]ro - GET /pop.php - Spora ransomware download
• 186.2.161[.]51 port 80 - torifyme[.]com - POST / - Spora ransomware decryption site
• 186.2.161[.]51 port 80 - torifyme[.]com - GET / - Spora ransomware decryption site

• saywitzproperties[.]com - compromised site (viewed in Internet Explorer)
• 92.53.119[.]52 port 80 - saywitzproperties[.]com - Rig EK
• 52.90.24[.]205 port 80 - unisdr[.]top - post-infection traffic
• 52.90.24[.]205 port 80 - trackerhost[.]us - post-infection traffic
• 52.90.24[.]205 port 80 - gerber[.]gdn - post-infection traffic
• Various IP addresses on TCP ports 443 and 9001 - various domains - Tor traffic
• DNS query for corpconor-daily[.]pw (response: No such name)
• DNS query for sorrycorpmail[.]site (response: No such name)

 

FILE HASHES

SPORA RANSOMWARE FROM HOEFLERTEXT POPUP:

• SHA256 hash:  29e757cd1e1b4202cb8d1f037f9d6677bff874539f3e357a09dcaea16316b860
  File name:  Chrome Font.exe (with non-ASCII characters for some of the letters)
  File description  Spora ransomware from EITest campaign HoeflerText popup on 2017-04-20

ARTIFACTS FROM RIG EK:

• SHA256 hash:  cc7b6f91fb2152b7aa718e6e4ff8c10810adde5e78fbf33d637a4f82c09fc526
  File description  Rig EK Flash exploit seen on 2017-04-20

• SHA256 hash:  1e804d49d27227374110ca99ba7263bd0e744c6cec7463080682eb85e4cbf42a
  File description  Rig EK payload from the EITest campaign on 2017-04-20 (Quant Loader)

• SHA256 hash:  e293194d518692f3f063420eb14fe48e9836909ba4fb45bc45f632a886e0c956
  File description  Follow-up malware after EITest Rig EK infection on 2017-04-20 (Zloader/DELoader)

 

IMAGES

Shown above:  When using Chrome, I saw a HoeflerText popup from the compromised website.

 

Shown above:  Clicking the download link from HoeflerText popup.

 

Shown above:  Spora ransomware decryption instructions.

 

Shown above:  Spora ransomware decryption site.

 

Shown above:  Injected script seen from the compromised site when viewing in Internet Explorer (leads to Rig EK landing page).

 

Click here to return to the main page.