2017-04-07 - IF USING CHROME: EITEST = HOEFLERTEXT POPUP - IF USING IE: EITEST = RIG EK
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-04-07-EITest-campaign-HoeflerText-popups-and-Rig-EK-pcaps.zip 1.8 MB (1,845,245 bytes)
- 2017-04-07-1st-run-EITest-campaign-HoeflerText-popup-sends-Spora-ransomware.pcap (263,663 bytes)
- 2017-04-07-1st-run-EITest-campaign-Rig-EK-sends-Matrix-ransomware-variant.pcap (659,016 bytes)
- 2017-04-07-2nd-run-EITest-campaign-HoeflerText-popup-sends-Spora-ransomware.pcap (203,114 bytes)
- 2017-04-07-2nd-run-EITest-campaign-Rig-EK-sends-Matrix-ransomware-variant.pcap (615,556 bytes)
- 2017-04-07-3rd-run-EITest-campaign-HoeflerText-popup-sends-Spora-ransomware.pcap (136,858 bytes)
- 2017-04-07-3rd-run-EITest-campaign-Rig-EK-sends-Matrix-ransomware-variant.pcap (528,656 bytes)
- ZIP archive of the malware: 2017-04-07-EITest-campaign-HoeflerText-popups-and-Rig-EK-artifacts.zip 1.4 MB (1,445,940 bytes)
- 2017-04-07-1st-run-EITest-HoeflerText-payload-Spora-ransomware.exe (78,848 bytes)
- 2017-04-07-1st-run-EITest-Rig-EK-payload-Matrix-ransomware-variant.exe (411,136 bytes)
- 2017-04-07-1st-run-Rig-EK-landing-page.txt (117,786 bytes)
- 2017-04-07-1st-run-page-from-trackingsharks.com-with-injected-EITest-script-for-HoeflerText.txt (163,933 bytes)
- 2017-04-07-1st-run-page-from-trackingsharks.com-with-injected-EITest-script-for-Rig-EK.txt (75,579 bytes)
- 2017-04-07-2nd-run-EITest-HoeflerText-payload-Spora-ransomware.exe (65,536 bytes)
- 2017-04-07-2nd-run-EITest-Rig-EK-payload-Matrix-ransomware-variant.exe (377,344 bytes)
- 2017-04-07-2nd-run-Rig-EK-landing-page.txt (117,721 bytes)
- 2017-04-07-2nd-run-page-from-everythingcebu.com-with-injected-EITest-script-for-HoeflerText.txt (68,432 bytes)
- 2017-04-07-2nd-run-page-from-everythingcebu.com-with-injected-EITest-script-for-Rig-EK.txt (114,254 bytes)
- 2017-04-07-3rd-run-EITest-HoeflerText-payload-Spora-ransomware.exe (78,848 bytes)
- 2017-04-07-3rd-run-EITest-Rig-EK-payload-Matrix-ransomware-variant.exe (377,344 bytes)
- 2017-04-07-3rd-run-Rig-EK-landing-page.txt (117,740 bytes)
- 2017-04-07-3rd-run-page-from-mojdehstudio.ir-with-injected-EITest-script-for-HoeflerText.txt (142,980 bytes)
- 2017-04-07-3rd-run-page-from-mojdehstudio.ir-with-injected-EITest-script-for-Rig-EK.txt (97,401 bytes)
- 2017-04-07-Matrix-variant-decryption-instructions.hta (3,231 bytes)
- 2017-04-07-Matrix-variant-decryption-instructions.rtf (5,684 bytes)
- 2017-04-07-Rig-EK-artifact-o32.tmp.txt (1,141 bytes)
- 2017-04-07-Rig-EK-flash-exploit.swf (38,178 bytes)
- 2017-04-07-Spora-decryption-instructions.html (12,320 bytes)
BACKGROUND ON THE EITEST CAMPAIGN:
- Although the EITest campaign uses exploit kits (EKs), EITest added the HoeflerText popups to its arsenal in January 2017.
- Kafeine wrote about these HoeflerText popups for the Proofpoint Blog. His write-up is here.
- My most recent write-up on the EITest campaign using Rig EK can be found here at the Palo Alto Networks Blog.
- The flowchart below should explain the flow of events for EITest.
NOTES:
- Thanks to @nao_sec for routinely tweeting about compromised websites that kick off infection chains for various campaigns using EKs.
Shown above: Flowchart for this infection traffic.
EITEST CAMPAIGN USING GOOGLE CHROME
Shown above: If you use Google Chrome, the site has injected script that shows a HoeflerText font notification.
Shown above: Clicking the download link sends a file named Chrome font.exe with some non-ASCII characters in the file name.
Shown above: Double-click the Chrome font.exe file, and you infect your Windows host with Spora ransomwware.
Shown above: Clicking on the link in the decryption instructions take you to the Spora decryption service site.
Shown above: Pcap of the infection traffic filtered in Wireshark.
EITEST CAMPAIGN USING INTERNET EXPLORER
Shown above: Visit the same site using Internet Explorer, and you get different injected script leading to Rig EK.
Shown above: Pcap of the traffic filtered in Wireshark.
Shown above: Desktop of the infected Windows host. When EITest used Rig EK, my hosts were infected with a Matrix ransomware variant.
TRAFFIC
ASSOCIATED DOMAINS:
- www.trackingsharks.com - Compromised website (EITest campaign)
- www.everythingcebu.com - Compromised website (EITest campaign)
- www.mojdehstudio.ir - Compromised website (EITest campaign)
- 91.121.16.159 port 80 - www.lannexedumoulin.be - GET /hot.php [URL from HoeflerText popup sending Spora ransomware]
- 176.223.207.41 port 80 - clinicalpsychology.psiedu.ubbcluj.ro - GET /hot.php [URL from HoeflerText popup sending Spora ransomware]
- 186.2.161.51 port 80 - torifyme.com - Post-infection HTTP traffic when checking site for Spora decryption instructions
- 185.159.128.247 port 80 - admin.globalmigration.cn - Rig EK
- 185.159.128.247 port 80 - admin.one-visa.com - Rig EK
- 31.41.216.90 port 80 - stat6.s76.r53.com.ua - Post-infection HTTP traffic caused by Matrix ransomware variant
- 31.41.217.90 port 80 - stat6.s76.r53.com.ua - Post-infection HTTP traffic caused by Matrix ransomware variant
- 148.251.13.83 port 80 - stat6.s76.r53.com.ua - Post-infection HTTP traffic caused by Matrix ransomware variant
- 195.248.235.240 port 80 - stat6.s76.r53.com.ua - Post-infection HTTP traffic caused by Matrix ransomware variant
- 195.248.235.241 port 80 - stat6.s76.r53.com.ua - Post-infection HTTP traffic caused by Matrix ransomware variant
EMAIL ADDRESSES FROM THE MATRIX RANSOMWARE VARIANT DECRYPTION INSTRUCTIONS:
- redtablet9643@yahoo.com - Primary email
- decodedecode@tutanota.com - Backup email
FILE HASHES
RIG EK FLASH EXPLOIT:
- SHA256 hash: d9e30decea0fb06fb9785c01debf5c378693de344e912b2a3fb159ec87eeb9c5
File size: 38,178 bytes
File description: Rig EK flash exploit seen on 2017-04-07
SPORA RANSOMWARE FROM EITEST HOEFLERTEXT POPUP:
- SHA256 hash: 1809aa1e4d1ed14722417ee284cea229fac1c09b8c14434f7e1b2ea8547c5aeb
File size: 78,848 bytes
File description: Spora ransomware from www.lannexedumoulin.be (1st run)
- SHA256 hash: fc950f34ce2005659e7b76fed9a740511688e83f84d9d7d225c0e632750518eb
File size: 65,536 bytes
File description: Spora ransomware from www.lannexedumoulin.be (2nd run)
- SHA256 hash: a1566b0b4783b58fefb512872ed01310fe5c9c3a64303f547739787be68a45da
File size: 78,848 bytes
File description: Spora ransomware from clinicalpsychology.psiedu.ubbcluj.ro
MATRIX RANSOMWARE VARIANT FROM EITEST RIG EK:
- SHA256 hash: efa729e2537a939a2c5e0acc81a99419d7477b6ab5fd4089bd85fd85087c9bcc
File size: 411,136 bytes
File description: Matrix ransomware variant from Rig EK at admin.globalmigration.cn
- SHA256 hash: db2fbc670f225d5b29fd247bb410e21b4816df50e8c24737797b84f83592cf79
File size: 377,344 bytes
File description: Matrix ransomware variant from Rig EK at admin.one-visa.com
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-04-07-EITest-campaign-HoeflerText-popups-and-Rig-EK-pcaps.zip 1.8 MB (1,845,245 bytes)
- ZIP archive of the malware: 2017-04-07-EITest-campaign-HoeflerText-popups-and-Rig-EK-artifacts.zip 1.4 MB (1,445,940 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.