2017-05-25 - EITEST CAMPAIGN PUSHING TECH SUPPORT SCAMS IN US AND UK

NOTICE:

ASSOCIATED FILES:

  • 2017-05-25-EITest-Rig-EK-sends-Mole-ransomware-after-naturalhealthonline_com.pcap   (263,718 bytes)
  • 2017-05-25-EITest-tech-support-scam-after-activaclinics_com-UK-based-traffic.pcap   (279,748 bytes)
  • 2017-05-25-EITest-tech-support-scam-after-activaclinics_com-US-based-traffic.pcap   (702,907 bytes)
  • 2017-05-25-EITest-tech-support-scam-after-naturalhealthonline_com-US-based-traffic.pcap   (701,682 bytes)
  • 2017-05-25-EITest-Rig-EK-payload-Mole-ransomware.exe   (119,296 bytes)
  • 2017-05-25-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
  • 2017-05-25-Rig-EK-flash-exploit.swf   (15,330 bytes)
  • 2017-05-25-Rig-EK-landing-page.txt   (5,100 bytes)
  • 2017-05-25-page-from-activaclinics_com-with-injected-EITest-script-for-tech-support-scam-UK.txt   (61,176 bytes)
  • 2017-05-25-page-from-activaclinics_com-with-injected-EITest-script-for-tech-support-scam-US.txt   (41,408 bytes)
  • 2017-05-25-page-from-naturalhealthonline_com-with-injected-EITest-script-for-Rig-EK.txt   (39,077 bytes)
  • 2017-05-25-page-from-naturalhealthonline_com-with-injected-EITest-script-for-tech-support-scam-US.txt   (41,069 bytes)
  • 2017-05-25-tech-support-scam-audio-UK.mp3   (164,773 bytes)
  • 2017-05-25-tech-support-scam-audio-US.mp3   (589,824 bytes)
  • 2017-05-25-tech-support-scam-page-UK.txt   (54,525 bytes)
  • 2017-05-25-tech-support-scam-page-US.txt   (4,976 bytes)

 


Shown above:  Flow chart of recent EITest campaign activity.

 

CHECKING AN EITEST-COMPROMISED SITE FROM A LOCATION IN THE UNITED STATES (US)


Shown above:  Injected script in a page from the compromised website.  The highlighted URL leads to a tech support scam page.

 


Shown above:  Traffic filtered in Wireshark.  NOTE: I had to manually copy and paste the URL into a browser.  It did not happen automatically.

 


Shown above:  Screenshot of the tech support scam page (US style).

 


Shown above:  Screenshot of the tech support scam page with the notification pop-up (US style).

 

CHECKING AN EITEST-COMPROMISED SITE FROM A LOCATION IN THE UNITED KINGDOM (UK)


Shown above:  Injected script in a page from the compromised website  The highlighted URL leads to a tech support scam page.

 


Shown above:  Traffic filtered in Wireshark.  NOTE: As before, I had to manually copy and paste the gio.aquastring[.]bid
URL into a browser.  It did not happen automatically.

 


Shown above:  The gio.aquastring[.]bid URL redirects to an HTTPS URL.

 


Shown above:  Screenshot of the tech support scam page (UK style).

 


Shown above:  Screenshot of the tech support scam page with the notification pop-up (UK style).

 

INDICATORS

The following are indicators associated with this activity.  I've included a pcap showing Rig EK (it sent Mole ransomware from the same compromised website that I also saw one of the tech support scam URLs come from.

 

BONUS IMAGE


Shown above:  If you're dealing with Rig EK and Mole ransomware from the EITest campaign, here's a screenshot of the
Mole ransomware tor page.

 

Click here to return to the main page.