2017-12-26 - EITEST CAMPAIGN HOEFLERTEXT POPUPS OR FAKE AV ALERTS

ASSOCIATED FILES:

  • 2017-12-26-EITest-HoelflerText-popup-sends-NetSupport-Manager-RAT.pcap   (3,352,708 bytes)
  • 2017-12-26-EITest-script-leads-to-fake-AV-page-for-tech-support-scam.pcap   (345,112 bytes)
  • 2017-12-26-Fake-AV-page-audio.mp3   (262,144 bytes)
  • 2017-12-26-Fake-AV-page-defender.png   (13,386 bytes)
  • 2017-12-26-Fake-AV-page-for-tech-support-scam.txt   (12404 bytes)
  • 2017-12-26-NetSupport-Manager-RAT-client32.ini.txt   (919 bytes)
  • 2017-12-26-NetSupport-Manager-RAT-installer-artifact-js.js.txt   (287,876 bytes)
  • 2017-12-26-Netsupport-Manager-RAT-Font_update.exe   (420,072 bytes)
  • 2017-12-26-page-from-rustyhealyinsurance.com-with-injected-EITest-script-for-HoeflerText-popup.txt   (85,989 bytes)
  • 2017-12-26-page-from-rustyhealyinsurance.com-with-injected-EITest-script-for-fake-AV-page.txt   (40,925 bytes)

BACKGROUND:

 


Shown above:  Flow chart for activity caused by the EITest campaign.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

TRAFFIC


Shown above:  Traffic from HoeflerText popup and NetSupport Manager RAT infection caused by the EITest campaign.

 


Shown above:  Traffic from fake AV page caused by the EITest campaign.

 

LEGIMATE BUT COMPROMISED SITE:

IF USING GOOGLE CHROME - URL FROM HOEFLERTEXT POPUP:

POST-INFECTION TRAFFIC FROM FONT_CHROME.EXE AND NETSUPPORT MANAGER RAT:

IF USING INTERNET EXPLORER - URL THAT REDIRECTS TO FAKE ANTI-VIRUS PAGE:

FAKE ANTI-VIRUS PAGE AS SEEN IN THE UNITED STATES:

PHONE NUMBER FOR TECH SUPPORT SCAM (UNITED STATES):

 

FILE HASHES

FILE DOWNLOADED FROM HOEFLERTEXT POPUP:

JAVASCRIPT FILE FROM THE INFECTED HOST:

NETSUPPORT CLIENT EXECUTABLE (32-BIT):

 

IMAGES


Shown above:  Fake HoeflerText popup caused by the EITest campaign.

 


Shown above:  Injected EITest script in page from compromised website, highlighting URL to download Font_Chrome.exe.

 


Shown above:  Downloading Font_Chrome.exe.

 


Shown above:  The HTTPS requests retrieved text files consisting of base64 strings that were converted to various
binaries for the NetSupport Manager RAT.

 


Shown above:  Some of the NetSupport Manager RAT files.

 


Shown above:  Injected EITest script in page from the compromised site with link that leads to fake AV page highlighted.

 


Shown above:  The fake AV page.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.