2017-01-30 - EITEST FAKE CHROME POPUP LEADS TO SPORA RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-01-30-EITest-fake-Chrome-popup-sends-Spora-ransomware-2-pcaps.zip   377.1 kB (377,120 bytes)

• 2017-01-30-EITest-fake-Chrome-popup-sends-Spora-ransomware-1st-run.pcap   (359,511 bytes)
• 2017-01-30-EITest-fake-Chrome-popup-sends-Spora-ransomware-2nd-run.pcap   (291,918 bytes)

• 2017-01-30-EITest-artifacts-and-Spora-ransomware.zip   163.2 kB (163,237 bytes)

• 2017-01-30-Spora-ransomware-sent-by-EITest-campaign.exe   (110,712 bytes)
• 2017-01-30-page-from-forum.odroid_com-with-injected-EITest-script-1st-run.txt   (143,162 bytes)
• 2017-01-30-page-from-forum.odroid_com-with-injected-EITest-script-2nd-run.txt   (143,391 bytes)

BACKGROUND ON EITEST FAKE CHROME POPUPS:

• 2017-01-17 - Kafeine at Proofpoint published a writeup about this:  EITest Nabbing Chrome Users with a "Chrome Font" Social Engineering Scheme.

BACKGROUND ON SPORA RANSOMWARE:

• As usual, BleepingComputer published a good write-up on Spora shortly after it first appeared (link).

OTHER NOTES:

• Thanks to @killamjr for tweeting about the compromised website.

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Start of injected script from the EITest campaign from a page from the compromised site.

 

Shown above:  End of of injected script from the EITest campaign from a page from the compromised site.

 

Shown above:  Pcap of the infection traffic filtered in Wireshark (1st run).

 

Shown above:  Pcap of the infection traffic filtered in Wireshark (2nd run).

 

ASSOCIATED TRAFFIC:

• forum.odroid[.]com - Compromised site
• 176.57.210[.]35 port 80 - steklokomplekt[.]org - POST /update.php   [URL from injected script to download the malware, 1st run]
• 91.211.112[.]233 port 80 - www.amborusa[.]org - POST /update.php   [URL from injected script to download the malware, 2nd run]
• 186.2.163[.]47 port 443 - spora[.]biz - Spora ransomware decryption site

 

FILE HASHES

SPORA RANSOMWARE:

• SHA256 hash:  d5a1c143b07475b367d2e12ff72fe5a3ec59c42fa11ae2d3eb2d4e76442e60b3   (110,712 bytes)
  File name:  Update.exe
  File description:  Spora ransomware from the EITest campaign seen on 2017-01-30

 

IMAGES

Shown above:  Popup within Chrome when viewing the compromised website (image 1 of 2).

 

Shown above:  Popup within Chrome when viewing the compromised website (image 2 of 2).

 

Shown above:  Spora ransomware decryption instructions from the HTML file dropped to the Desktop.

 

Shown above:  Spora decryption site at spora[.]biz.

 

Click here to return to the main page.