2017-12-12 - EITEST HOEFLERTEXT POPUPS AND FAKE ANTI-VIRUS PAGES

ASSOCIATED FILES:

  • 2017-12-12-EITest-campaign-Fake-AV-page-traffic.pcap   (367,666 bytes)
  • 2017-12-12-EITest-campaign-HoeflerText-popup-traffic.pcap   (3,376,814 bytes)
  • 2017-12-12-Fake-Chrome-font-update-artifact-js.js.txt   (72,313 bytes)
  • 2017-12-12-NetSupport-Manager-RAT-Font_update.exe   (243,125 bytes)
  • 2017-12-12-NetSupport-manager-RAT-client32.ini.txt   (919 bytes)
  • 2017-12-12-fake-AV-audio.mp3   (262,144 bytes)
  • 2017-12-12-fake-AV-page.txt   (9,748 bytes)
  • 2017-12-12-page-from-rackhouselubbock.com-with-injected-script-for-HoeflerText-popup.txt   (94,537 bytes)
  • 2017-12-12-page-from-rackhouselubbock.com-with-injected-script-for-fake-AV-page.txt   (49,562 bytes)

NOTES:


Shown above:  Current flow chart for activity by the EITest campaign.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

TRAFFIC

LEGIMATE BUT COMPROMISED SITE:

IF USING GOOGLE CHROME - URL AFTER HOEFLERTEXT POPUP:

POST-INFECTION TRAFFIC FROM FONT_CHROME.EXE AND NETSUPPORT MANAGER RAT:

IF USING INTERNET EXPLORER - URL THAT REDIRECTS TO FAKE ANTI-VIRUS PAGE:

FAKE ANTI-VIRUS PAGE AS SEEN IN THE UNITED STATES:

 

FILE HASHES

FILE DOWNLOADED FROM HOEFLERTEXT POPUP:

 

IMAGES


Shown above:  HoeflerText popup seen from rackhouselubbock.com.

 


Shown above:  Injected script from rackhouselubbock.com when viewing the site from Chrome.

 


Shown above:  Downloading Font_Chrome.exe from the HoflerText popup.

 


Shown above:  NetSupport Manager RAT on the infected Windows host.

 


Shown above:  Injected script from rackhouselubbock.com when viewing the site from Internet Explorer.

 


Shown above:  Fake anti-virus/tech support scam page after following link from the injected script.

 


Shown above:  Fake anti-virus/tech support scam popup after following link from the injected script.

 


Shown above:  Traffic from the NetSupport Manger RAT infection filtered in Wireshark.

 


Shown above:  Traffic from the Fake AV activity filtered in Wireshark.

 

FINAL NOTES

Once again, here are the associated files:

Zip files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.