2017-03-06 - EITEST HOEFLERTEXT CHROME POPUP LEADS TO SPORA RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2017-03-06-EITest-HoeflerText-Chrome-popup-traffic-all-pcaps.zip   833 kB (832,673 bytes)
• ZIP archive of the malware:  2017-03-06-EITest-HoeflerText-Chrome-popup-artifacts-and-malware.zip   529 kB (528,996 bytes)

BACKGROUND ON EITEST HOEFLERTEXT CHROME POPUPS:

• 2017-01-17 - Kafeine at Proofpoint published a writeup about this campaign:  EITest Nabbing Chrome Users with a "Chrome Font" Social Engineering Scheme.

BACKGROUND ON SPORA RANSOMWARE:

• BleepingComputer published a good write-up on Spora shortly after it first appeared (link).

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Start of injected script in a page from the compromised website.

 

Shown above:  End of injected script in a page from the compromised website.

 

Shown above:  Traffic from the 1st infection filtered in Wireshark.

 

Shown above:  Traffic from the 2nd infection filtered in Wireshark.

 

Shown above:  Traffic from the 3rd infection filtered in Wireshark (forgot to save this one for the pcap archive).

 

Shown above:  Traffic from the 4th infection filtered in Wireshark.

 

Shown above:  Traffic from the 5th infection filtered in Wireshark.

 

Shown above:  Traffic from the 6th infection filtered in Wireshark.

 

Shown above:  Traffic from the 7th infection filtered in Wireshark.

 

Shown above:  Traffic from the 8th infection filtered in Wireshark.

 

URLS GENERATED BY EITEST HOEFLERTEXT SCRIPT THAT SENT SPORA RANSOMWARE:

• 129.121.177.69 port 80 - www.educplus.org - POST /forum.php
• 103.11.74.21 port 80 - alvihadisugondo.com - POST /forum.php
• 107.155.113.132 port 80 - www.stsbmc.edu.bd - POST /forum.php
• 172.110.31.151 port 80 - leadertalk.edu.vn - POST /forum.php
• 107.155.113.132 port 80 - www.sitet.edu.bd - POST /forum.php
• 107.155.113.132 port 80 - www.palashbarimohilamadrasa.edu.bd - POST /forum.php
• 75.119.205.228 port 80 - jackson.edu.gh - POST /forum.php
• 198.15.81.91 port 80 - vistaareducate.com - POST /forum.php

 

CHECKING THE SPORA RANSOMWARE DECRYPTION INSTRUCTIONS:

• 186.2.163.47 port 80 - spora.store - POST /
• 186.2.163.47 port 443 - spora.store - HTTPS/TLS/SSL encrypted traffic

 

FILE HASHES

DOWNLOADED SPORA RANSOMWARE:

• e5712f92ca5bb7f7cc71fceb2085e07b419be896d597b08ddc771005382d57e4 - 2017-03-06-Spora-Ransomware-1st-run-Chrome_font.exe
• 459e5023a0f2a3f03da5bee3140395ed1b9cf943fb5367e29ea6b54b16d50840 - 2017-03-06-Spora-Ransomware-2nd-run-Chrome_font.exe
• ebb49d61236b6fcdba54a197707f3ea1de621f46c1a8410e69090c2ab6cddad0 - 2017-03-06-Spora-Ransomware-3rd-run-Chrome_font.exe
• 85087a5596cd8d9aab4b05d1cb948daf33d971b5c84e092c5d0fa5c619cf0990 - 2017-03-06-Spora-Ransomware-4th-run-Chrome_font.exe
• a8c0ba2223340751ede5bf307a9637bc7ff8a1dc5333f83f4ba194710f40e367 - 2017-03-06-Spora-Ransomware-5th-run-Chrome_font.exe
• 5ab9b586eaf1bcaa76443b4f69d67e57a057d57cb30b6d863a7cfab3d0882c2a - 2017-03-06-Spora-Ransomware-6th-run-Chrome_font.exe
• de271e00cdba9f2819e20a3860b425dcc1066c7a8fdd89e18798e249bf64b1c6 - 2017-03-06-Spora-Ransomware-7th-run-Chrome_font.exe
• 2ad9bf44d986593d21176a836e079d3236d6610e88ada74d4cab83392aa9ed42 - 2017-03-06-Spora-Ransomware-8th-run-Chrome_font.exe

 

IMAGES

Shown above:  HoeflerText popup from the compromised website.

 

Shown above:  Clicking the download link from HoeflerText popup.

 

Shown above:  Spora decryption instructions.

 

Shown above:  Spora decryption site.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2017-03-06-EITest-HoeflerText-Chrome-popup-traffic-all-pcaps.zip   833 kB (832,673 bytes)
• ZIP archive of the malware:  2017-03-06-EITest-HoeflerText-Chrome-popup-artifacts-and-malware.zip   529 kB (528,996 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.