2017-10-24 - COMPROMISED SITE HAS EITEST CAMPAIGN PUSHING FAKE AV, ALSO HAS COINMINER JAVASCRIPT
ASSOCIATED FILES:
- Saz archive of Fiddler capture: 2017-10-24-coinminer-javascript-after-pawsprings.ca.saz 207 kB (207,413 bytes)
- Zip archive of the pcaps: 2017-10-24-pcaps-for-coinminer-javascript-and-fake-AV.zip 352 kB (351,630 bytes)
- 2017-10-24-coinminer-javascript-after-pawsprings.ca.pcap (125,764 bytes)
- 2017-10-24-EITest-fake-AV-page-after-pawsprings.ca.pcap (401,123 bytes)
- Zip archive of the artifacts: 2017-10-24-artifacts-from-traffic-to-pawsprings.ca.zip 319 kB (318,541 bytes)
- 2017-10-24-coinhive.min.js.txt (139,676 bytes)
- 2017-10-24-cryptonight-asmjs.min.js.txt (275,480 bytes)
- 2017-10-24-fake-AV-audio.mp3 (262,144 bytes)
- 2017-10-24-fake-AV-page.txt (4,374 bytes)
- 2017-10-24-page-from-pawsprings.ca-with-injected-script-for-coinminer.txt (30,752 bytes)
- 2017-10-24-page-from-pawsprings.ca-with-injected-EITest-script-for-fake-AV.txt (30,529 bytes)
NOTES:
- EITest is the name of a campaign, originally coined by Malwarebytes Labs in 2014, that used exploit kits to deliver malware until earlier this year.
- As 2017 year has progressed, criminals behind EITest have turned to other activity, like fake anti-virus pages and fake HoeflerText popups.
- This site also has coinminer javascript, but I don't know if it's connected to the EITest campaign.
TRAFFIC
Shown above: Traffic for fake AV filtered in Wireshark.
Shown above: Traffic for coinminer javascript filtered in Wireshark.
Shown above: Traffic for coinminer javascript as recorded by Fiddler.
ASSOCIATED DOMAINS AND URLS - FAKE AV PAGE:
- pawsprings.ca - Compromised website with injected script
- 162.244.35.33 port 80 - supportte24101234567.tk - GET /index/?2171506271081
- 162.244.35.36 port 80 - techsuper24101.tk - GET /?number=866-967-8771
ASSOCIATED DOMAINS AND URLS - COINMINER JAVASCRIPT:
- pawsprings.ca - Compromised website with injected script
- 94.130.90.154 port 443 - coin-hive.com - GET /lib/coinhive.min.js
- 94.130.128.151 port 443 - coinhive.com - GET /lib/coinhive.min.js
- 94.130.128.151 port 443 - coinhive.com - GET /lib/cryptonight-asmjs.min.js
- 94.130.128.151 port 443 - coinhive.com - GET /lib/cryptonight-asmjs.min.js.mem
- 94.130.128.146 port 443 - ws019.coinhive.com - GET /proxy
FILE HASHES
MALICIOUS JAVASCRIPT:
- SHA256 hash: 9b3e42330b1c922b7d8b7becff32bb6b110ca8d81b6a3c4beeab96e9dc9e2f6e
File size: 139,676 bytes
File location: hxxps://coinhive.com/lib/coinhive.min.js
File description: Coinminer javascript
- SHA256 hash: 674db0478cae40fb5e55c74713a4af2117989075e978afb845ba724c7bc2deb8
File size: 275,480 bytes
File location: hxxps://coinhive.com/lib/cryptonight-asmjs.min.js
File description: More coinminer javascript
IMAGES
Shown above: Injected EITest script in page from compromised website pointing to fake AV page.
Shown above: Fake AV page with phone number for tech support scam.
Shown above: Injected script in page from compromised website pointing to coinminer javascript.
FINAL NOTES
Once again, here are the associated files:
- Saz archive of Fiddler capture: 2017-10-24-coinminer-javascript-after-pawsprings.ca.saz 207 kB (207,413 bytes)
- Zip archive of the pcaps: 2017-10-24-EITest-campaign-pcaps.zip 352 kB (351,630 bytes)
- Zip archive of the artifacts: 2017-10-24-EITest-campaign-artifacts.zip 319 kB (318,555 bytes)
Zip and saz files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.