2017-10-26 - EITEST CAMPAIGN SENDS HOEFLERTEXT POPUPS OR FAKE AV PAGE

NOTES:

• Quick post with taffic and malware archives.
• ZIP and SAZ archives are password-protected.  If you don't know the password, look at the "about" page of this website.

 

ASSOCIATED FILES:

• Zip archive of the pcaps:  2017-10-26-EITest-campaign-pcaps.zip   3.3 MB (3,311,814 bytes)

• 2017-10-26-EITest-HoeflerText-popup-sends-NetSupport-RAT.pcap   (3,515,353 bytes)
• 2017-10-26-EITest-script-causes-fake-AV-page.pcap   (31,058 bytes)

• Saz archive of the HTTPS traffic (NetSupport RAT):  2017-10-26-HTTPS-traffic-to-printscreens.info.saz   3.3 MB (3,264,697 bytes)

• Zip archive of the malware:  2017-10-26-EITest-campaign-artifacts.zip   392 kB (392,053 bytes)

• 2017-10-26-AppData-Roaming-Diariosd-client32.ini.txt   (951 bytes)
• 2017-10-26-Font_Chrome.exe   (250,366 bytes)
• 2017-10-26-fake-AV-audio.mpg   (262,144 bytes)
• 2017-10-26-fake-AV-page.txt   (4,374 bytes)
• 2017-10-26-page-from-halfandhalfteaexpress.com-with-injected-EITest-script-for-HoeflerText-popup.txt   (67,418 bytes)
• 2017-10-26-page-from-halfandhalfteaexpress.com-with-injected-EITest-script-for-fake-AV-page.txt   (22,375 bytes)

 

QUICK DETAILS

BACKGROUND:

• 2017-09-01 - Palo Alto Networks Blog:  EITest: HoeflerText Popups Targeting Google Chrome Users Now Push RAT Malware

TODAY'S TRAFFIC:

• Traffic-wise, today's traffic is nearly identical to my 2017-10-04 blog post on the EITest campaign.
• Files for the NetSupport RAT are still being delivered over HTTPS.
• Like last time, I saw at least 50 GET requests over HTTPS returned text files of base64 strings that were converted to all the NetSupport Manager RAT files.
• First reported on 2017-10-25 by @thlnk3r:  https://twitter.com/thlnk3r/status/923291439336890368

 

IMAGES

 

 

 

 

 

 

 

 

Click here to return to the main page.