2017-07-23 - EITEST HOFLERTEXT POPUP SENDS MOLE RANSOMWARE

ASSOCIATED FILES:

  • 2017-07-23-EITest-HoflerText-popup-sends-Mole-ransomware-1st-run.pcap   (302,477 bytes)
  • 2017-07-23-EITest-HoflerText-popup-sends-Mole-ransomware-2nd-run.pcap   (314,870 bytes)
  • 2017-07-23-EITest-tech-support-scam-traffic.pcap   (112,161 bytes)
  • 2017-07-23-1st-run-Font_Chrome.exe   (174,080 bytes)
  • 2017-07-23-2nd-run-Font_Chrome.exe   (153,088 bytes)
  • 2017-07-23-Mole-ransomware_HELP_INSTRUCTION.TXT   (1,554 bytes)
  • 2017-07-23-fake-Microsoft-AV-page-from-securityfalse.ga.txt   (4,374 bytes)
  • 2017-07-23-page-from-one-hour.fr-with-injected-HoeflerText-script-1st-run.txt   (124,550 bytes)
  • 2017-07-23-page-from-one-hour.fr-with-injected-HoeflerText-script-2nd-run.txt   (124,550 bytes)
  • 2017-07-23-page-from-one-hour.fr-with-injected-tech-support-scam-script.txt   (79,597 bytes)

NOTES:

 


Shown above:  Updated flow chart reflecting today's traffic from the EITest campaign.

 

TRAFFIC


Shown above:  Screenshot of the traffic filtered in Wireshark for the HoeflerText popup and Mole ransomware.

 


Shown above:  Screenshot of the traffic filtered in Wireshark for the tech support scam.

 

ASSOCIATED DOMAINS (EITEST - HOEFLERTEXT POPUP):

ASSOCIATED DOMAINS (EITEST - TECH SUPPORT SCAM):

 

MALWARE

MOLE RANSOMWARE FROM 1ST RUN:

MOLE RANSOMWARE FROM 2ND RUN:

 

IMAGES


Shown above:  HoeflerText popup when viewing page from compromised site in Chrome.

 


Shown above:  Downloading Mole ransomware disguised as a Chrome font installer.

 


Shown above:  Start of injected script for HoeflerText popup in page from the compromised site.

 


Shown above:  End of injected script for HoeflerText popup in page from the compromised site.

 


Shown above:  .MOLE03 is the file extension for all encrypted files.

 


Shown above:  Mole ransomware decryption instructions.

 


Shown above:  Tor page for the Mole ransomware decryption site.

 


Shown above:  Injected script for Tech support scam when viewing page from the compromised site using Internet Explorer.

 


Shown above:  Tech support scam website.

 

FINAL NOTES

Once again, here are the associated files:

Zip files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.