2017-01-30 - EITEST FAKE CHROME POPUP LEADS TO SPORA RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2017-01-30-EITest-fake-Chrome-popup-pcaps.zip   377 kB (376,590 bytes)

• 2017-01-30-EITest-fake-Chrome-popup-sends-Spora-ransomware-1st-run.pcap   (359,511 bytes)
• 2017-01-30-EITest-fake-Chrome-popup-sends-Spora-ransomware-2nd-run.pcap   (291,918 bytes)

• ZIP archive of the malware:  2017-01-30-EITest-fake-Chrome-popup-sends-Spora-malware-and-artifacts.zip   163 kB (162,717 bytes)

• 2017-01-30-Spora-ransomware-sent-by-EITest-campaign.exe   (110,712 bytes)
• 2017-01-30-page-from-forum.odroid.com-with-injected-EITest-script-1st-run.txt   (143,162 bytes)
• 2017-01-30-page-from-forum.odroid.com-with-injected-EITest-script-2nd-run.txt   (143,391 bytes)

BACKGROUND ON EITEST FAKE CHROME POPUPS:

• 2017-01-17 - Kafeine at Proofpoint published a writeup about this:  EITest Nabbing Chrome Users with a "Chrome Font" Social Engineering Scheme.

BACKGROUND ON SPORA RANSOMWARE:

• As usual, BleepingComputer published a good write-up on Spora shortly after it first appeared (link).

OTHER NOTES:

• Thanks to @killamjr for tweeting about the compromised website.

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Start of injected script from the EITest campaign from a page from the compromised site.

 

Shown above:  End of of injected script from the EITest campaign from a page from the compromised site.

 

Shown above:  Pcap of the infection traffic filtered in Wireshark (1st run).

 

Shown above:  Pcap of the infection traffic filtered in Wireshark (2nd run).

 

ASSOCIATED DOMAINS:

• forum.odroid.com - Compromised site
• 176.57.210.35 port 80 - steklokomplekt.org - POST /update.php   [URL from injected script to download the malware, 1st run]
• 91.211.112.233 port 80 - www.amborusa.org - POST /update.php   [URL from injected script to download the malware, 2nd run]
• 186.2.163.47 port 443 - spora.biz - Spora decryption site

 

FILE HASHES

SPORA RANSOMWARE:

• SHA256 hash:  d5a1c143b07475b367d2e12ff72fe5a3ec59c42fa11ae2d3eb2d4e76442e60b3   (110,712 bytes)
  File name:  Update.exe
  File description:  Spora ransomware from the EITest campaign seen on 2017-01-30

 

IMAGES

Shown above:  Popup within Chrome when viewing the compromised website (image 1 of 2).

 

Shown above:  Popup within Chrome when viewing the compromised website (image 2 of 2).

 

Shown above:  Spora decryption instructions from the HTML file dropped to the Desktop.

 

Shown above:  Spora decryption site at spora.biz.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2017-01-30-EITest-fake-Chrome-popup-pcaps.zip   377 kB (376,590 bytes)
• ZIP archive of the malware:  2017-01-30-EITest-fake-Chrome-popup-sends-Spora-malware-and-artifacts.zip   163 kB (162,717 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.