2017-10-04 - EITEST CAMPAIGN HOEFLERTEXT POPUP / FAKE AV ALERT

ASSOCIATED FILES:

  • 2017-10-04-EITest-HoeflerText-popup-sends-NetSupport-Manager-RAT.pcap   (3,367,405 bytes)
  • 2017-10-04-Font_Chrome.exe   (349,782 bytes)
  • 2017-10-04-client32.ini   (951 bytes)
  • 2017-10-04-js.js   (41,133 bytes)
  • 2017-10-04-page-from-joconner.com-with-injected-EITest-script-for-HoeflerText-popup.txt   (114,077 bytes)

BACKGROUND:

NOTES:


Shown above:  @killamjr's tweet.

 


Shown above:  Flow chart for activity caused by the EITest campaign.

 

TRAFFIC


Shown above:  Traffic from HoeflerText popup and NetSupport Manager RAT infection caused by the EITest campaign.

 


Shown above:  Start of HTTPS traffic from Fiddler capture showing the URLs (1 of 2).

 


Shown above:  End of HTTPS traffic from Fiddler capture showing the URLs (2 of 2).

 


Shown above:  Final GET request noted in the HTTPS traffic.

 

LEGIMATE BUT COMPROMISED SITE:

IF USING GOOGLE CHROME - URL FROM HOEFLERTEXT POPUP:

POST-INFECTION TRAFFIC FROM FONT_CHROME.EXE AND NETSUPPORT MANAGER RAT:

IF USING INTERNET EXPLORER - URL THAT REDIRECTS TO FAKE ANTI-VIRUS PAGE:

FAKE ANTI-VIRUS PAGE AS SEEN IN THE UNITED STATES:

PHONE NUMBER FOR TECH SUPPORT SCAM (UNITED STATES):

 

FILE HASHES

FILE DOWNLOADED FROM HOEFLERTEXT POPUP:

JAVASCRIPT FILE FROM THE INFECTED HOST:

NETSUPPORT CLIENT EXECUTABLE (32-BIT):

 

IMAGES


Shown above:  Traffic for HoeflerText popup and NetSupport Manager RAT infection.

 


Shown above:  Injected EITest script in page from compromised website, highlighting URL to download Font_Chrome.exe.

 


Shown above:  Downloading Font_Chrome.exe.

 


Shown above:  The downloaded executable.

 


Shown above:  All of the HTTPS requests retrieved text files consisting of base64 strings that were later converted to various
binaries for the NetSupport Manager RAT installation.

 


Shown above:  Some of the NetSupport Manager RAT files.

 


Shown above:  Injected EITest script for fake AV notice in page from the compromised site.

 


Shown above:  URL that redirects to fake AV notice.

 


Shown above:  The fake AV notice.

 

FINAL NOTES

Once again, here are the associated files:

ZIP and SAZ files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.