2017-04-15 - EITEST CAMPAIGN RIG EK / HOEFLERTEXT CHROME POPUP
ASSOCIATED FILES:
- ZIP archive of the pcaps: 2017-04-15-EITest-pcaps.zip 7.0 MB (7,019,087 bytes)
- 2017-04-15-EITest-HoeflerText-popup-sends-Spora-ransomware.pcap (172,172 bytes)
- 2017-04-15-EITest-Rig-EK-traffic.pcap (11,548,802 bytes)
- ZIP archive of the malware: 2017-04-15-EITest-malware-and-artifacts.zip 521 kB (521,284 bytes)
- 2017-04-15-EITest-Rig-EK-flash-exploit.swf (19,110 bytes)
- 2017-04-15-EITest-Rig-EK-landing-page.txt (117,714 bytes)
- 2017-04-15-EITest-Rig-EK-payload-3v62anzt.exe (208,896 bytes) -- I think this is Quant Loader
- 2017-04-15-EITest-Rig-EK-post-infection-follow-up-malware.exe (401,408 bytes)
- 2017-04-15-Spora-ransomware-decryption-instructions.html (12,326 bytes)
- 2017-04-15-Spora-ransomware.exe (102,400 bytes)
- 2017-04-15-page-from-cardgameheaven.com-with-injected-EITest-script-for-HoeflerText.txt (66,601 bytes)
- 2017-04-15-page-from-cardgameheaven.com-with-injected-EITest-script-for-Rig-EK.txt (19,988 bytes)
BACKGROUND ON THE EITEST CAMPAIGN:
- Although the EITest campaign uses exploit kits (EKs), this actor added HoeflerText popups to its arsenal in January 2017.
- Kafeine wrote about these HoeflerText popups for the Proofpoint Blog. His write-up is here.
- My most recent write-up on the EITest campaign using Rig EK can be found here at the Palo Alto Networks Blog.
- The flowchart below should explain the chain of events for EITest.
NOTES:
- As always, thanks to @nao_sec for routinely tweeting about compromised websites. I used that info to generate traffic for this blog post.
Shown above: Flowchart for this infection traffic.
TRAFFIC
Shown above: EITest HoeflerText popup traffic when compromised site is viewed using Google Chrome.
Shown above: EITest Rig EK traffic when compromised site is viewed using Internet Explorer.
ASSOCIATED DOMAINS:
- cardgameheaven.com - compromised site (viewed in Google Chrome)
- 172.110.31.151 port 80 - leadertalk.edu.vn - GET /loo.php - Spora ransomware download
- 186.2.161.51 port 80 - torifyme.com - POST / - Spora ransomware decryption site
- 186.2.161.51 port 80 - torifyme.com - GET / - Spora ransomware decryption site
- cardgameheaven.com - compromised site (viewed in Internet Explorer)
- 217.23.1.61 port 80 - microfitsecuretest.us - Rig EK (landing page)
- 185.158.112.49 port 80 - 185.158.112.49 - Rig EK (exploits & payload)
- 51.141.33.47 port 80 - unisdr.top - post-infection traffic
- 51.141.33.47 port 80 - trackerhost.us - post-infection traffic
FILE HASHES
SPORA RANSOMWARE FROM HOEFLERTEXT POPUP:
- SHA256 hash: 2181633d9bdb10fd4420a6aef5d5fa9e9a69ab7de4e99063ae44716188e394e1
File name: Chrome Font.exe (with non-ASCII characters for some of the letters)
File description Spora ransomware from EITest campaign HoeflerText popup
ARTIFACTS FROM RIG EK:
- SHA256 hash: 151b5c5a5213a5f7584a6f1a6a4c4705e9e8b938a70080c8e4ecbed7ea7c0609
File description Rig EK Flash exploit seen on 2017-04-15
- SHA256 hash: f63e5ca44a32340c975bf5613b1cfd2202762e4a42f1f21deb71de18894b9304
File description Rig EK payload from the EITest campaign on 2017-04-15, possible Quant Loader
- SHA256 hash: 5a0549fc9996e5297c01a925813e65e31d8a7050d58925408d74cac6b4eb97ab
File description Follow-up malware after EITest Rig EK infection on 2017-04-15
IMAGES
Shown above: When using Chrome, we see a HoeflerText popup from the compromised website.
Shown above: Clicking the download link from HoeflerText popup.
Shown above: Spora decryption site.
Shown above: This time, Spora doesn't change the file extensions for the files it encryptes.
Shown above: Using Internet Explorer, we find injected script from the EITest campaign in a page from the compromised website pointing to Rig EK.
Shown above: Some of the post-infection traffic seen after the EITest Rig EK infection.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcaps: 2017-04-15-EITest-pcaps.zip 7.0 MB (7,019,087 bytes)
- ZIP archive of the malware: 2017-04-15-EITest-malware-and-artifacts.zip 521 kB (521,284 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.