2017-09-01 - EITEST HOEFLERTEXT POPUPS OR FAKE ANTI-VIRUS PAGES

ASSOCIATED FILES:

  • 2017-09-01-EITest-HoeflerText-popup-from-backupcare.org.pcap   (3,172,015 bytes)
  • 2017-09-01-EITest-HoeflerText-popup-from-canadoodles.com.pcap   (776,352 bytes)2017-09-01-EITest-HoeflerText-popup-from-one-hour.fr.pcap   (2,368,009 bytes)2017-09-01-EITest-tech-support-scam-after-backupcare.org.pcap   (296,754 bytes)2017-09-01-EITest-tech-support-scam-after-canadoodles.com.pcap   (447,286 bytes)2017-09-01-EITest-tech-support-scam-after-one-hour.fr.pcap   (204,197 bytes)
  • 2017-09-01-fake-anti-virus-audio-in-English-from-angel3081.tk.mp3   (262,144 bytes)
  • 2017-09-01-fake-anti-virus-audio-in-French-from-angel30811.ml.mp3   (524,288 bytes)
  • 2017-09-01-fake-antivirus-page-in-English-from-angel3081.tk.txt   (4,374 bytes)
  • 2017-09-01-fake-antivirus-page-in-French-from-angel30811.ml.txt   (6,635 bytes)
  • 2017-09-01-page-from-backupcare.org-with-injected-hoeflertext-script.txt   (61,740 bytes)
  • 2017-09-01-page-from-backupcare.org-with-injected-script-to-fake-AV-site.txt   (16,661 bytes)
  • 2017-09-01-page-from-canadoodles.com-with-injected-hoeflertext-script.txt   (75,814 bytes)
  • 2017-09-01-page-from-canadoodles.com-with-injected-script-to-fake-AV-site.txt   (30,746 bytes)
  • 2017-09-01-page-from-one-hour.fr-with-injected-hoeflertext-script.txt   (123,363 bytes)
  • 2017-09-01-page-from-one-hour.fr-with-injected-script-to-fake-AV-site.txt   (78,410 bytes)
  • Font_Chrome.exe   (274,889 bytes)
  • eq2o3pu2z.jpg.exe   (2,665,634 bytes)

NOTES:


Shown above:  Current flow chart for activity caused by the EITest campaign.

 

TRAFFIC

LEGIMATE BUT COMPROMISED SITES:

IF USING GOOGLE CHROME - URL AFTER HOEFLERTEXT POPUP:

POST-INFECTION TRAFFIC FROM FONT_CHROME.EXE AND NETSUPPORT MANAGER RAT:

IF USING INTERNET EXPLORER - URL THAT REDIRECTS TO FAKE ANTI-VIRUS PAGE:

FAKE ANTI-VIRUS PAGE AS SEEN IN THE UNITED STATES:

FAKE ANTI-VIRUS PAGE AS SEEN IN FRANCE:

 

FILE HASHES

FILE DOWNLOADED FROM HOEFLERTEXT POPUP:

SECOND-STAGE MALWARE (INSTALLS NETSUPPORT MANAGER RAT):

 

IMAGES


Shown above:  HoeflerText popup seen from one-hour.fr.

 


Shown above:  Downloading Font_Chrome.exe from the HoflerText popup.

 


Shown above:  Page from backupcare.org has the injected script, but I did not the the HoeflerText notification.

 


Shown above:  But you can still get to the malware by viewing the sourcecode on that page from backupcare.org.

 


Shown above:  HoeflerText popup seen from Canadoodles.com.

 


Shown above:  Metadata for today's Font_Chrome.exe from the HoeflerText popup.

 


Shown above:  Follow-up malware downloaded by Font_Chrome.exe.

 


Shown above:  NetSupport Manger RAT on the infected host is at version 11.0.0.476 (most current version is 12.5).

 


Shown above:  Pcap from HoeflerText popup and NetSupport Manager RAT infection filtered in Wireshark (1 of 2).

 


Shown above:  Pcap from HoeflerText popup and NetSupport Manager RAT infection filtered in Wireshark (2 of 2).

 


Shown above:  Pcap from HoeflerText popup filtered in Wireshark.

 


Shown above:  Last part of injected script in page from compromised site for fake AV page (1 of 3).

 


Shown above:  Last part of injected script in page from compromised site for fake AV page (2 of 3).

 


Shown above:  Last part of injected script in page from compromised site for fake AV page (3 of 3).

 


Shown above:  Fake anti-virus page (as seen in the United States).

 


Shown above:  Fake anti-virus popup window (as seen in the United States).

 


Shown above:  Fake anti-virus page (as seen in France).

 


Shown above:  Fake anti-virus popup window (as seen in France).

 


Shown above:  Pcap from fake anti-virus notification filtered in Wireshark (1 of 3).

 


Shown above:  Pcap from fake anti-virus notification filtered in Wireshark (2 of 3).

 


Shown above:  Pcap from fake anti-virus notification filtered in Wireshark (3 of 3).

 

FINAL NOTES

Once again, here are the associated files:

Zip files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.