2017-12-12 - EITEST HOEFLERTEXT POPUPS AND FAKE ANTI-VIRUS PAGES

ASSOCIATED FILES:

• Zip archive of the pcaps:  2017-12-12-EITest-campaign-pcaps.zip   3.5 MB (3,454,208 bytes)

• 2017-12-12-EITest-campaign-Fake-AV-page-traffic.pcap   (367,666 bytes)
• 2017-12-12-EITest-campaign-HoeflerText-popup-traffic.pcap   (3,376,814 bytes)

• Zip archive of the malware and associated artifacts:  2017-12-12-EITest-campaign-malware-and-artifacts.zip   418 kB (418,148 bytes)

• 2017-12-12-Fake-Chrome-font-update-artifact-js.js.txt   (72,313 bytes)
• 2017-12-12-NetSupport-Manager-RAT-Font_update.exe   (243,125 bytes)
• 2017-12-12-NetSupport-manager-RAT-client32.ini.txt   (919 bytes)
• 2017-12-12-fake-AV-audio.mp3   (262,144 bytes)
• 2017-12-12-fake-AV-page.txt   (9,748 bytes)
• 2017-12-12-page-from-rackhouselubbock.com-with-injected-script-for-HoeflerText-popup.txt   (94,537 bytes)
• 2017-12-12-page-from-rackhouselubbock.com-with-injected-script-for-fake-AV-page.txt   (49,562 bytes)

NOTES:

• "EITest" is a long-running campaign that formerly used exploit kits to distribute malware.
• Earlier this year, EITest turned to different methods like HoeflerText popups fake anti-virus pages pushing tech support scams.
• In September 2017, Palo Alto Networks published a Unit 42 blog I wrote about HoeflerText popups that EITest uses to distribute malware.  Click here for details.

Shown above:  Current flow chart for activity by the EITest campaign.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• hxxp://shopreduceri.ro/file_up.php
• bmwfastcar1337.com
• printscreens.info
• hxxp://94.242.198.167/fakeurl.htm
• onlinetechsupoffice.bid
• 1sthelper31212123456.tk

 

TRAFFIC

LEGIMATE BUT COMPROMISED SITE:

• rackhouselubbock.com   (site is HTTPS)

IF USING GOOGLE CHROME - URL AFTER HOEFLERTEXT POPUP:

• 195.88.81.104 port 80 - shopreduceri.ro - GET /file_up.php

POST-INFECTION TRAFFIC FROM FONT_CHROME.EXE AND NETSUPPORT MANAGER RAT:

• 31.31.196.204 port 443 - printscreens.info - HTTPS/SSL/TLS traffic
• DNS query for bmwfastcar1337.com - resolved to 94.242.198.167
• 94.242.198.167 port 1488 - 94.242.198.167 - POST http://94.242.198.167/fakeurl.htm

IF USING INTERNET EXPLORER - URL THAT REDIRECTS TO FAKE ANTI-VIRUS PAGE:

• 162.244.35.33 port 80 - onlinetechsupoffice.bid - GET /index/?MCPKV8

FAKE ANTI-VIRUS PAGE AS SEEN IN THE UNITED STATES:

• 185.159.83.47 port 80 - 1sthelper31212123456.tk - GET /?number=866-271-4031

 

FILE HASHES

FILE DOWNLOADED FROM HOEFLERTEXT POPUP:

• SHA256 hash:  c8a050d999e827c91d09bd7886b81a76ad07b17f610aee1c296676251050f556
  File size:  243,125 bytes
  File name:  Font_Chrome.exe
  File description:  malware downloader to install NetSupport Manager RAT

 

IMAGES

Shown above:  HoeflerText popup seen from rackhouselubbock.com.

 

Shown above:  Injected script from rackhouselubbock.com when viewing the site from Chrome.

 

Shown above:  Downloading Font_Chrome.exe from the HoflerText popup.

 

Shown above:  NetSupport Manager RAT on the infected Windows host.

 

Shown above:  Injected script from rackhouselubbock.com when viewing the site from Internet Explorer.

 

Shown above:  Fake anti-virus/tech support scam page after following link from the injected script.

 

Shown above:  Fake anti-virus/tech support scam popup after following link from the injected script.

 

Shown above:  Traffic from the NetSupport Manger RAT infection filtered in Wireshark.

 

Shown above:  Traffic from the Fake AV activity filtered in Wireshark.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcaps:  2017-12-12-EITest-campaign-pcaps.zip   3.5 MB (3,454,208 bytes)
• Zip archive of the malware and associated artifacts:  2017-12-12-EITest-campaign-malware-and-artifacts.zip   418 kB (418,148 bytes)

Zip files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.