2017-02-22 - EITEST HOEFLERTEXT CHROME POPUP LEADS TO SPORA RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2017-02-22-EITest-HoeflerText-Chrome-popup-traffic-both-pcaps.zip   230 kB (230,065 bytes)

• 2017-02-22-EITest-HoeflerText-Chrome-popup-after-expervision.com.pcap   (207,119 bytes)
• 2017-02-22-EITest-HoeflerText-Chrome-popup-after-techydiary.com.pcap   (193,576 bytes)

• ZIP archive of the malware:  2017-02-22-EITest-HoeflerText-Chrome-popup-malware-and-artifacts.zip   143 kB (142,588 bytes)

• 2017-02-22-page-from-expervision.com-with-injected-EITest-HoeflerText-script.txt   (82,380 bytes)
• 2017-02-22-page-from-techydiary.com-with-injected-EITest-HoeflerText-script.txt   (99,821 bytes)
• Chrome Font v8.17.exe   (86,016 bytes)
• Chrome Font v8.72.exe   (86,016 bytes)

BACKGROUND ON EITEST HOEFLERTEXT CHROME POPUPS:

• 2017-01-17 - Kafeine at Proofpoint tied this to the EITest campaign:  EITest Nabbing Chrome Users with a "Chrome Font" Social Engineering Scheme.
• 2017-01-31 - Lawrence Abrams blogged about it at BleepingComputer:  Fake Chrome Font Pack Update Alerts Infecting Visitors with Spora Ransomware
• 2017-02-22 - Mohit Kumar at the Hacker News ran into it:  Beware! Don't Fall For "Font Wasn't Found" Google Chrome Malware Scam

BACKGROUND ON SPORA RANSOMWARE:

• BleepingComputer published a good write-up on Spora shortly after it first appeared (link).

OTHER NOTES:

• Thanks to @killamjr again for his tweets so far on the compromised websites from this campaign.

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Start of injected script from the EITest campaign from a page from the compromised site.

 

Shown above:  End of of injected script from the EITest campaign from a page from the compromised site.

 

Shown above:  Popup associated with this campaign.

 

Shown above:  Clicking on the link downloads the malware (you still have to run it to get infected).

 

Shown above:  Pcap of the infection traffic filtered in Wireshark (1st run).

 

Shown above:  Pcap of the infection traffic filtered in Wireshark (2nd run).

 

ASSOCIATED DOMAINS:

• www.expervision.com - Compromised site
• techydiary.com - Compromised site
• 75.119.205.228 port 80 - jackson.edu.gh - POST /open.php   [URL from injected script to download the malware, 1st run]
• 78.46.43.130 port 80 - szkolasokol.edu.pl - POST /open.php   [URL from injected script to download the malware, 2nd run]
• 186.2.163.47 port 80 - spora.biz - POST /   [post-infection traffic from the infected host to the Spora site]
• 186.2.163.47 port 443 - spora.biz - Spora site HTTP/SSL/TLS traffic

 

FILE HASHES

SPORA RANSOMWARE - FIRST RUN:

• SHA256 hash:  cb83d46d30bc9b277c78efe7beb102d0f292cacc2380534fce9c7e4bb192134a   (86,016 bytes)
  File name:  Chrome Font v8.17.exe

SPORA RANSOMWARE - SECOND RUN:

• SHA256 hash:  628b98919665cd028b3f48c48f1f1e9169bd8bb020cd01f9e1c82ccd9c397832   (86,016 bytes)
  File name:  Chrome Font v8.72.exe

 

IMAGES

Shown above:  Decryption instructions dropped as an HTML file to the infected host.

 

Shown above:  Checking the spora.biz site for further instructions.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2017-02-22-EITest-HoeflerText-Chrome-popup-traffic-both-pcaps.zip   230 kB (230,065 bytes)
• ZIP archive of the malware:  2017-02-22-EITest-HoeflerText-Chrome-popup-malware-and-artifacts.zip   143 kB (142,588 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.