2017-10-26 - EITEST CAMPAIGN SENDS HOEFLERTEXT POPUPS OR FAKE AV PAGE
NOTES:
- Quick post with taffic and malware archives.
- ZIP and SAZ archives are password-protected. If you don't know the password, look at the "about" page of this website.
ASSOCIATED FILES:
- Zip archive of the pcaps: 2017-10-26-EITest-campaign-pcaps.zip 3.3 MB (3,311,814 bytes)
- 2017-10-26-EITest-HoeflerText-popup-sends-NetSupport-RAT.pcap (3,515,353 bytes)
- 2017-10-26-EITest-script-causes-fake-AV-page.pcap (31,058 bytes)
- Saz archive of the HTTPS traffic (NetSupport RAT): 2017-10-26-HTTPS-traffic-to-printscreens.info.saz 3.3 MB (3,264,697 bytes)
- Zip archive of the malware: 2017-10-26-EITest-campaign-artifacts.zip 392 kB (392,053 bytes)
- 2017-10-26-AppData-Roaming-Diariosd-client32.ini.txt (951 bytes)
- 2017-10-26-Font_Chrome.exe (250,366 bytes)
- 2017-10-26-fake-AV-audio.mpg (262,144 bytes)
- 2017-10-26-fake-AV-page.txt (4,374 bytes)
- 2017-10-26-page-from-halfandhalfteaexpress.com-with-injected-EITest-script-for-HoeflerText-popup.txt (67,418 bytes)
- 2017-10-26-page-from-halfandhalfteaexpress.com-with-injected-EITest-script-for-fake-AV-page.txt (22,375 bytes)
QUICK DETAILS
BACKGROUND:
- 2017-09-01 - Palo Alto Networks Blog: EITest: HoeflerText Popups Targeting Google Chrome Users Now Push RAT Malware
TODAY'S TRAFFIC:
- Traffic-wise, today's traffic is nearly identical to my 2017-10-04 blog post on the EITest campaign.
- Files for the NetSupport RAT are still being delivered over HTTPS.
- Like last time, I saw at least 50 GET requests over HTTPS returned text files of base64 strings that were converted to all the NetSupport Manager RAT files.
- First reported on 2017-10-25 by @thlnk3r: https://twitter.com/thlnk3r/status/923291439336890368
IMAGES
Click here to return to the main page.