2017-04-16 - EITEST CAMPAIGN RIG EK / HOEFLERTEXT CHROME POPUP

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2017-04-16-EITest-pcaps.zip   1.0 MB (1,035,848 bytes)

• 2017-04-16-EITest-HoeflerText-popup-sends-Spora-ransomware.pcap   (201,890 bytes)
• 2017-04-16-EITest-Rig-EK-traffic.pcap   (1,356,878 bytes)

• ZIP archive of the malware:  2017-04-16-EITest-malware-and-artifacts.zip   499 kB (499,495 bytes)

• 2017-04-16-EITest-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
• 2017-04-16-EITest-Rig-EK-flash-exploit.swf   (19,110 bytes)
• 2017-04-16-EITest-Rig-EK-landing-page.txt   (117,801 bytes)
• 2017-04-16-EITest-Rig-EK-payload-i4rcqon9.exe   (237,568 bytes) -- I think this is Quant Loader
• 2017-04-16-EITest-Rig-EK-post-infection-follow-up-malware.exe   (311,296 bytes)
• 2017-04-16-Spora-ransomware-decryption-instructions.html   (12,326 bytes)
• 2017-04-16-Spora-ransomware.exe   (79,872 bytes)
• 2017-04-16-page-from-tanaakk.net-with-injected-EITest-script-for-HoeflerText.txt   (97,366 bytes)
• 2017-04-16-page-from-tanaakk.net-with-injected-EITest-script-for-RigEK.txt   (51,084 bytes)

BACKGROUND ON THE EITEST CAMPAIGN:

• Although the EITest campaign uses exploit kits (EKs), this actor added HoeflerText popups to its arsenal in January 2017.
• Kafeine wrote about these HoeflerText popups for the Proofpoint Blog.  His write-up is here.
• My most recent write-up on the EITest campaign using Rig EK can be found here at the Palo Alto Networks Blog.
• The flowchart below should explain the chain of events for EITest.

NOTES:

• As always, thanks to @nao_sec for routinely tweeting about compromised websites.  I used that info to generate traffic for this blog post.

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  EITest HoeflerText popup traffic when compromised site is viewed using Google Chrome.

 

Shown above:  EITest Rig EK traffic when compromised site is viewed using Internet Explorer.

 

ASSOCIATED DOMAINS:

• tanaakk.net - compromised site (viewed in Google Chrome)
• 176.223.207.41 port 80 - clinicalpsychology.psiedu.ubbcluj.ro - GET /loo.php - Spora ransomware download
• 186.2.161.51 port 80 - torifyme.com - POST / - Spora ransomware decryption site
• 186.2.161.51 port 80 - torifyme.com - GET / - Spora ransomware decryption site

• tanaakk.net - compromised site (viewed in Internet Explorer)
• 188.225.72.22 port 80 - side.chobaniandyr.com - Rig EK
• 51.141.33.47 port 80 - unisdr.top - post-infection traffic
• 51.141.33.47 port 80 - trackerhost.us - post-infection traffic

 

FILE HASHES

SPORA RANSOMWARE FROM HOEFLERTEXT POPUP:

• SHA256 hash:  8a2eafed0b59841f76b0c23bddeb9e3cadfebba4c04a7d24694273642ffec109
  File name:  Chrome Font.exe (with non-ASCII characters for some of the letters)
  File description  Spora ransomware from EITest campaign HoeflerText popup on 2017-04-16

ARTIFACTS FROM RIG EK:

• SHA256 hash:  cd3a17defe0a5c0ff35f6fccdcb33080eb06c02a6a628e5acda3f909a0b58997
  File description  Rig EK Flash exploit seen on 2017-04-16

• SHA256 hash:  26134f16143eb1d5fc2a13f51929166db18a9e04ea381a9bd23cabea24508879
  File description  Rig EK payload from the EITest campaign on 2017-04-16 (possible Quant Loader)

• SHA256 hash:  7a7c25c5694ceecf589bbc30361f9bf249c3825f2334d7595b83cee23234f9a9
  File description  Follow-up malware after EITest Rig EK infection on 2017-04-16

 

FINAL NOTES

Once again, here are the associated files:

li>ZIP archive of the pcaps:  2017-04-16-EITest-pcaps.zip   1.0 MB (1,035,848 bytes)
• ZIP archive of the malware:  2017-04-16-EITest-malware-and-artifacts.zip   499 kB (499,495 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.