2017-02-14 - EITEST HOEFLERTEXT CHROME POPUP LEADS TO SPORA RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2017-02-14-EITest-HoeflerText-Chrome-popup-leads-to-Spora-ransomware-pcaps.zip   296 kB (296,175 bytes)
• ZIP archive of the malware:  2017-02-14-EITest-HoeflerText-Chrome-popup-leads-to-Spora-ransomware-and-artifacts.zip   234 kB (234,379 bytes)

BACKGROUND ON EITEST HOEFLERTEXT CHROME POPUPS:

• 2017-01-17 - Kafeine at Proofpoint published a writeup about this campaign:  EITest Nabbing Chrome Users with a "Chrome Font" Social Engineering Scheme.

BACKGROUND ON SPORA RANSOMWARE:

• BleepingComputer published a good write-up on Spora shortly after it first appeared (link).

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

ASSOCIATED DOMAINS:

• holinergroup.com - Compromised site
• 193.255.242.61 port 80 - kuzem2.kku.edu.tr - POST /info.php   [returned Spora ransomware]
• 131.123.99.24 port 80 - nutr.ehhs.kent.edu - POST /info.php   [returned Spora ransomware]
• 190.104.250.116 port 80 - www.emprendedores.itba.edu.ar - POST /info.php   [returned Spora ransomware]
• 217.26.213.73 port 80 - vpsle.edu.rs - POST /info.php   [returned Spora ransomware]
• 103.224.23.101 port 80 - www.distanceeducationschool.com - POST /info.php   [returned Spora ransomware]
• 186.2.163.47 port 443 - spora.biz - Spora decryption site

 

FILE HASHES

SPORA RANSOMWARE:

• 444cf5c58a75936d8522db7a46369d732ecf90321fb8fc64bcb126ded213eca0 - Chrome Font v1.25.exe
• e2c68ced5b9078c88dded6ee92dcda61f9ccff467f47eb4cdff9c0423acede66 - Chrome Font v2.41.exe
• 55cd11127474fb89f0edeab556690a492f520812d2de40d0c765d8c14286af6c - Chrome Font v2.96.exe
• 664e65f58fb8b110ef5564af4f059c1526715f2e902feec90313310c455ffd5d - Chrome Font v3.28.exe
• 3e0e79f7994192308160afe7d3783088a47fc9fd84ff0ef03f1a197e595894aa - Chrome Font v3.66.exe

 

IMAGES

Shown above:  Popup within Chrome when viewing the compromised website (image 1 of 2).

 

Shown above:  Popup within Chrome when viewing the compromised website (image 2 of 2).

 

Shown above:  Spora decryption instructions from the HTML file dropped to the Desktop.

 

Shown above:  Spora decryption site at spora.biz.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2017-02-14-EITest-HoeflerText-Chrome-popup-leads-to-Spora-ransomware-pcaps.zip   296 kB (296,175 bytes)
• ZIP archive of the malware:  2017-02-14-EITest-HoeflerText-Chrome-popup-leads-to-Spora-ransomware-and-artifacts.zip   234 kB (234,379 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.