2017-09-07 - EITEST CAMPAIGN STILL USING FAKE AV ALERTS OR HOEFLERTEXT POPUPS

ASSOCIATED FILES:

  • 2017-09-07-EITest-HoeflerText-popup-pushes-NetSupport-Manager-RAT-traffic.pcap   (5,819,585 bytes)
  • 2017-09-07-EITest-fake-AV-tech-support-scam-traffic.pcap   (318,225 bytes)
  • 2017-09-07-DSAdaDSDA.js.txt   (4,630 bytes)
  • 2017-09-07-EITest-fake-AV-audio.mp3   (262,144 bytes)
  • 2017-09-07-EITest-fake-AV-page.txt   (4,374 bytes)
  • 2017-09-07-Font_Chrome.exe   (287,988 bytes)
  • 2017-09-07-NetSupport-Manager-RAT-client32.ini.txt   (969 bytes)
  • 2017-09-07-d.zaix.ru-4pdV.jpg.txt   (5,072,612 bytes)
  • 2017-09-07-idgwljlrj.jpg.exe   (3,804,458 bytes)
  • 2017-09-07-page-from-misooakville.com-with-injected-EITest-script-for-HoeflerText-popup.txt   (82,926 bytes)
  • 2017-09-07-page-from-misooakville.com-with-injected-EITest-script-for-fake-AV-page.txt   (38,706 bytes)

Shown above:  Current flow chart for activity caused by the EITest campaign.

 

BACKGROUND:

 

TRAFFIC


Shown above:  Traffic for fake anti-virus alert caused by EITest campaign.

 


Shown above:  Traffic from HoeflerText popup and NetSupport Manager RAT infection caused by EITest campaign.

 

LEGIMATE BUT COMPROMISED SITE:

IF USING INTERNET EXPLORER - URL THAT REDIRECTS TO FAKE ANTI-VIRUS PAGE:

FAKE ANTI-VIRUS PAGE AS SEEN IN THE UNITED STATES:

IF USING GOOGLE CHROME - URL FROM HOEFLERTEXT POPUP:

POST-INFECTION TRAFFIC FROM FONT_CHROME.EXE AND NETSUPPORT MANAGER RAT:

PHONE NUMBER FOR TECH SUPPORT SCAM (UNITED STATES):

 

FILE HASHES

FILE DOWNLOADED FROM HOEFLERTEXT POPUP:

SECOND-STAGE MALWARE:

 

IMAGES


Shown above:  Some injected script near the end of an HTML page from the compromised site.

 


Shown above:  Fake anti-virus page and popup window for tech support scam.

 


Shown above:  HoeflerText notification in page from the compromised site.

 


Shown above:  Some injected script near the end of an HTML page from the compromised site.

 


Shown above:  After clicking button to download the fake HoeflerText update.

 


Shown above:  Malware disguised as fake Chrome font update.

 


Shown above:  Post-infection traffic for second-stage malware, downloaded as Base64 text string (almost 5 MB), then converted to a binary.

 


Shown above:  Second-stage malware that installs the NetSupport Manager RAT.

 


Shown above:  NetSupport Manager RAT installed in the user's AppData\Roaming directory under 0TempValue.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.