2017-05-25 - EITEST CAMPAIGN PUSHING TECH SUPPORT SCAMS IN US AND UK

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2017-05-25-EITest-pcaps.zip   1.5 MB (1,511,124 bytes)

• 2017-05-25-EITest-Rig-EK-sends-Mole-ransomware-after-naturalhealthonline.com.pcap   (263,718 bytes)
• 2017-05-25-EITest-script-for-tech-scam-after-activaclinics.com-UK-based-traffic.pcap   (279,748 bytes)
• 2017-05-25-EITest-script-for-tech-scam-after-activaclinics.com-US-based-traffic.pcap   (702,907 bytes)
• 2017-05-25-EITest-script-for-tech-scam-after-naturalhealthonline.com-US-based-traffic.pcap   (701,682 bytes)

• ZIP archive of the malware and artifacts:  2017-05-25-EITest-malware-and-artifacts.zip   757 kB (756,650 bytes)

• 2017-05-25-EITest-Rig-EK-payload-Mole-ransomware.exe   (119,296 bytes)
• 2017-05-25-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
• 2017-05-25-Rig-EK-flash-exploit.swf   (15,330 bytes)
• 2017-05-25-Rig-EK-landing-page.txt   (5,100 bytes)
• 2017-05-25-page-from-activaclinics.com-with-injected-EITest-script-for-tech-scam-UK.txt   (61,176 bytes)
• 2017-05-25-page-from-activaclinics.com-with-injected-EITest-script-for-tech-scam-US.txt   (41,408 bytes)
• 2017-05-25-page-from-naturalhealthonline.com-with-injected-EITest-script-for-Rig-EK.txt   (39,077 bytes)
• 2017-05-25-page-from-naturalhealthonline.com-with-injected-EITest-script-for-tech-scam-US.txt   (41,069 bytes)
• 2017-05-25-tech-support-scam-audio-UK.mp3   (164,773 bytes)
• 2017-05-25-tech-support-scam-audio-US.mp3   (589,824 bytes)
• 2017-05-25-tech-support-scam-page-UK.txt   (54,525 bytes)
• 2017-05-25-tech-support-scam-page-US.txt   (4,976 bytes)

 

NOTES:

• This is a follow-up to a blog post by @nao_sec titled: New EITest's Cloaking
• Like @nao_sec, I've also noticed the different type injected script in site compromised by the EITest campaign.
• I looked into it, and these are tech support scam URLs that try to convince you that your computer is infected and to call a phone number for help.
• Injected script for the tech support scams is what I see from EITest-compromised websites when looking at them from the US or the UK.
• Within the past 24 hours, I've also seen Rig EK when checking these EITest-compromised websites from various locations in Europe and Asia.
• I'm also seeing the HoeflerText popups (that've been sending Spora ransomware) when I check these EITest-compromised sites with Chrome.

Shown above:  My preliminary findings.

 

CHECKING AN EITEST-COMPROMISED SITE FROM A LOCATION IN THE UNITED STATES (US)

Shown above:  Injected script in a page from the compromised website  The highlighted URL leads to a tech support scam page.

 

Shown above:  Traffic filtered in Wireshark.  NOTE: I had to manually copy and paste the URL into a browser.  It did not happen automatically.

 

Shown above:  Screenshot of the tech support scam page (US style).

 

Shown above:  Screenshot of the tech support scam page with the notification pop-up (US style).

 

CHECKING AN EITEST-COMPROMISED SITE FROM A LOCATION IN THE UNITED KINGDOM (UK)

Shown above:  Injected script in a page from the compromised website  The highlighted URL leads to a tech support scam page.

 

Shown above:  Traffic filtered in Wireshark.  NOTE: As before, I had to manually copy and paste the gio.aquastring.bid
URL into a browser.  It did not happen automatically.

 

Shown above:  The gio.aquastring.bid URL redirects to an HTTPS URL.

 

Shown above:  Screenshot of the tech support scam page (UK style).

 

Shown above:  Screenshot of the tech support scam page with the notification pop-up (UK style).

 

INDICATORS

The following are indicators associated with this activity.  I've included a pcap showing Rig EK (it sent Mole ransomware, just like yesterday) from the same compromised website that I also saw one of the tech support scam URLs come from.

• www.activaclinics.com   -   A site that's been compromised by criminals behind the EITest campaign
• naturalhealthonline.com   -   Another site that's been compromised by criminals behind the EITest campaign

• 104.24.116.139 port 80 - 1317587423345278789.win   -   tech support scam site for the US

• 91.195.102.3 port 80 - gio.aquastring.bid - GET /?zyzba=news   -   redirect URL for the UK
• 91.195.102.3 port 443 - wide.bonesboxowersa.info - GET /en/?id=MDgwMCAwODYtOTgyNw   -   tech support scam site for the UK   [HTTPS]

• 888-252-1520 - Toll free phone number for tech support scam in the US
• 0800-086-9827 - Toll free phone number for tech support scam in the UK

• 81.177.135.229 port 80 - port.preferredsurgicenter.com   -   Rig EK seen on 2017-05-25 at approximately 02:07 UTC
• supportjy2xvvdmx.onion - Tor domain for the Mole ransomware decryption instructions

• 9e32f6654a122fbceef5d1b0bd6d781fb364b74aedce94fea8e7969836bcf4f7 - SHA256 hash for Mole ransomware sent by Rig EK from the EITest campaign

 

BONUS PIC

Shown above:  If you're dealing with Rig EK and Mole ransomware from the EITest campaign, here's a screenshot of the
Mole ransomware tor page.  Click here for more info/better notes.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2017-05-25-EITest-pcaps.zip   1.5 MB (1,511,124 bytes)
• ZIP archive of the malware and artifacts:  2017-05-25-EITest-malware-and-artifacts.zip   757 kB (756,650 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.