2017-10-24 - COMPROMISED SITE HAS EITEST CAMPAIGN PUSHING FAKE AV, ALSO HAS COINMINER JAVASCRIPT

ASSOCIATED FILES:

• Saz archive of Fiddler capture:  2017-10-24-coinminer-javascript-after-pawsprings.ca.saz   207 kB (207,413 bytes)

• Zip archive of the pcaps:  2017-10-24-pcaps-for-coinminer-javascript-and-fake-AV.zip   352 kB (351,630 bytes)

• 2017-10-24-coinminer-javascript-after-pawsprings.ca.pcap   (125,764 bytes)
• 2017-10-24-EITest-fake-AV-page-after-pawsprings.ca.pcap   (401,123 bytes)

• Zip archive of the artifacts:  2017-10-24-artifacts-from-traffic-to-pawsprings.ca.zip   319 kB (318,541 bytes)

• 2017-10-24-coinhive.min.js.txt   (139,676 bytes)
• 2017-10-24-cryptonight-asmjs.min.js.txt   (275,480 bytes)
• 2017-10-24-fake-AV-audio.mp3   (262,144 bytes)
• 2017-10-24-fake-AV-page.txt   (4,374 bytes)
• 2017-10-24-page-from-pawsprings.ca-with-injected-script-for-coinminer.txt   (30,752 bytes)
• 2017-10-24-page-from-pawsprings.ca-with-injected-EITest-script-for-fake-AV.txt   (30,529 bytes)

 

NOTES:

• EITest is the name of a campaign, originally coined by Malwarebytes Labs in 2014, that used exploit kits to deliver malware until earlier this year.
• As 2017 year has progressed, criminals behind EITest have turned to other activity, like fake anti-virus pages and fake HoeflerText popups.
• This site also has coinminer javascript, but I don't know if it's connected to the EITest campaign.

 

TRAFFIC

Shown above:  Traffic for fake AV filtered in Wireshark.

 

Shown above:  Traffic for coinminer javascript filtered in Wireshark.

 

Shown above:  Traffic for coinminer javascript as recorded by Fiddler.

 

ASSOCIATED DOMAINS AND URLS - FAKE AV PAGE:

• pawsprings.ca - Compromised website with injected script
• 162.244.35.33 port 80 - supportte24101234567.tk - GET /index/?2171506271081
• 162.244.35.36 port 80 - techsuper24101.tk - GET /?number=866-967-8771

 

ASSOCIATED DOMAINS AND URLS - COINMINER JAVASCRIPT:

• pawsprings.ca - Compromised website with injected script
• 94.130.90.154 port 443 - coin-hive.com - GET /lib/coinhive.min.js
• 94.130.128.151 port 443 - coinhive.com - GET /lib/coinhive.min.js
• 94.130.128.151 port 443 - coinhive.com - GET /lib/cryptonight-asmjs.min.js
• 94.130.128.151 port 443 - coinhive.com - GET /lib/cryptonight-asmjs.min.js.mem
• 94.130.128.146 port 443 - ws019.coinhive.com - GET /proxy

 

FILE HASHES

MALICIOUS JAVASCRIPT:

• SHA256 hash:  9b3e42330b1c922b7d8b7becff32bb6b110ca8d81b6a3c4beeab96e9dc9e2f6e
  File size:  139,676 bytes
  File location:  hxxps://coinhive.com/lib/coinhive.min.js
  File description:  Coinminer javascript

• SHA256 hash:  674db0478cae40fb5e55c74713a4af2117989075e978afb845ba724c7bc2deb8
  File size:  275,480 bytes
  File location:  hxxps://coinhive.com/lib/cryptonight-asmjs.min.js
  File description:  More coinminer javascript

 

IMAGES

Shown above:  Injected EITest script in page from compromised website pointing to fake AV page.

 

Shown above:  Fake AV page with phone number for tech support scam.

 

Shown above:  Injected script in page from compromised website pointing to coinminer javascript.

 

FINAL NOTES

Once again, here are the associated files:

• Saz archive of Fiddler capture:  2017-10-24-coinminer-javascript-after-pawsprings.ca.saz   207 kB (207,413 bytes)
• Zip archive of the pcaps:  2017-10-24-EITest-campaign-pcaps.zip   352 kB (351,630 bytes)
• Zip archive of the artifacts:  2017-10-24-EITest-campaign-artifacts.zip   319 kB (318,555 bytes)

Zip and saz files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.