2017-03-10 - EITEST HOEFLERTEXT CHROME POPUP LEADS TO SPORA RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2017-03-10-EITest-HoeflerText-Chrome-popup-traffic-all-pcaps.zip   522 kB (521,980 bytes)
• ZIP archive of the malware:  2017-03-10-EITest-HoeflerText-Chrome-popup-artifacts-and-malware.zip   167 kB (167,381 bytes)

BACKGROUND ON EITEST HOEFLERTEXT CHROME POPUPS:

• 2017-01-17 - Kafeine at Proofpoint published a writeup about this tactic:  EITest Nabbing Chrome Users with a "Chrome Font" Social Engineering Scheme.
• 2017-01-30 - Brillantit Blog published an in-depth look on the EITest campaign that also covers the HoeflerText Chrome popup:  Exposing EITest campaign.

BACKGROUND ON SPORA RANSOMWARE:

• BleepingComputer published a good write-up on Spora shortly after it first appeared (link).
• If you're curious about other infection vectors for Spora ransomware, read this article on LinkedIn.  It covers how HTA files in malspam are used to spread Spora.

OTHER NOTES:

• The file name is Chrome_font.exe, but the lower-case o used twice in that file name is actually a Greek small letter omicron and not an ASCII lower-case o.
• The malware in the today's archive was renamed using a regular lower-case o in the file name.

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Start of injected script in a page from the compromised website.

 

Shown above:  End of injected script in a page from the compromised website.

 

Shown above:  Traffic from the 1st infection filtered in Wireshark.

 

URLS GENERATED BY EITEST HOEFLERTEXT SCRIPT THAT SENT SPORA RANSOMWARE:

• 168.176.145.34 port 80 - idea.manizales.unal.edu.co - POST /files.php
• 190.242.126.11 port 80 - umb.edu.co - POST /files.php
• 143.95.250.182 port 80 - almanhukuku.ozyegin.edu.tr - POST /files.php
• 149.31.8.22 port 80 - smallab.parsons.edu - POST /files.php

 

CHECKING THE SPORA RANSOMWARE DECRYPTION INSTRUCTIONS:

• 186.2.163.47 port 80 - spora.bz - POST /
• 186.2.163.47 port 443 - spora.bz - HTTPS/SSL/TLS traffic

 

FILE HASHES

DOWNLOADED SPORA RANSOMWARE (ALL 4 TIMES):

• SHA256 hash:  78f0b868ea959178415700b4c63aa7bccaaffaac370f810f015f126830b3ab7a
  File name:  Chrome font.exe   (using Greek small letter omicron instead of a lower-case "o")
  File size:  69,632 bytes

 

IMAGES

Shown above:  HoeflerText popup from the compromised website.

 

Shown above:  Clicking the download link from HoeflerText popup.

 

Shown above:  Spora decryption instructions.

 

Shown above:  Spora decryption site.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2017-03-10-EITest-HoeflerText-Chrome-popup-traffic-all-pcaps.zip   522 kB (521,980 bytes)
• ZIP archive of the malware:  2017-03-10-EITest-HoeflerText-Chrome-popup-artifacts-and-malware.zip   167 kB (167,381 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.