2017-05-26 - EITEST CAMPAIGN PUSHING TECH SUPPORT SCAMS, RIG EK, HOEFLERTEXT POPUS
ASSOCIATED FILES:
- ZIP archive of the pcaps: 2017-05-26-EITest-pcaps.zip 1.1 MB (1,120,073 bytes)
- 2017-05-26-EITest-Rig-EK-sends-Cerber-after-intothebluefishing.com.pcap (619,346 bytes)
- 2017-05-26-EITest-script-for-HoeflerText-popup-after-naturalhealthonline.com.pcap (96,925 bytes)
- 2017-05-26-EITest-script-for-tech-scam-after-intothebluefishing.com-UK-based-traffic.pcap (327,029 bytes)
- 2017-05-26-EITest-script-for-tech-scam-after-intothebluefishing.com-US-based-traffic.pcap (621,442 bytes)
- ZIP archive of the malware and artifacts: 2017-05-26-EITest-malware-and-artifacts.zip 1.3 MB (1,319,039 bytes)
- 2017-05-25-page-from-naturalhealthonline.com-with-injected-EITest-script-leading-to-HoeflerText-script.txt (85,460 bytes)
- 2017-05-26-Cerber-desktop-background.bmp (3,145,782 bytes)
- 2017-05-26-Cerber_R_E_A_D___T_H_I_S___6EL4PI3M_.hta (77,493 bytes)
- 2017-05-26-Cerber_R_E_A_D___T_H_I_S___AQRJ_.txt (1,360 bytes)
- 2017-05-26-EITest-Rig-EK-payload-Cerber.exe (278,528 bytes)
- 2017-05-26-Rig-EK-artifact-o32.tmp.txt (1,141 bytes)
- 2017-05-26-Rig-EK-flash-exploit.swf (15,512 bytes)
- 2017-05-26-Rig-EK-landing-page.txt (5,094 bytes)
- 2017-05-26-page-from-intothebluefishing.com-with-injected-EITest-script-for-Rig-EK.txt (82,068 bytes)
- 2017-05-26-page-from-intothebluefishing.com-with-injected-EITest-script-for-tech-scam-UK.txt (84,019 bytes)
- 2017-05-26-page-from-intothebluefishing.com-with-injected-EITest-script-for-tech-scam-US.txt (84,080 bytes)
- 2017-05-26-page-from-naturalhealthonline.com-with-injected-EITest-script-for-HoeflerText-popup.txt (85,459 bytes)
- 2017-05-26-tech-support-scam-audio-UK.mp3 (164,773 bytes)
- 2017-05-26-tech-support-scam-audio-US.mp3 (589,824 bytes)
- 2017-05-26-tech-support-scam-page-UK.txt (45,831 bytes)
- 2017-05-26-tech-support-scam-page-US.txt (4,978 bytes)
NOTES:
- Another entry in my follow-up research after a blog post by @nao_sec titled: New EITest's Cloaking
Shown above: Now that EITest Rig EK is sending Cerber instead of Mole ransomware...
CHECKING AN EITEST-COMPROMISED SITE FROM A LOCATION IN THE UNITED STATES (US)
Shown above: Injected script in a page from the compromised website The highlighted URL leads to a tech support scam page.
Shown above: Traffic filtered in Wireshark. NOTE: I had to manually copy and paste the URL into a browser. It did not happen automatically.
Shown above: Screenshot of the tech support scam page with the notification pop-up (US style).
CHECKING AN EITEST-COMPROMISED SITE FROM A LOCATION IN THE UNITED KINGDOM (UK)
Shown above: Injected script in a page from the compromised website. The highlighted URL leads to a tech support scam page.
Shown above: Traffic filtered in Wireshark. NOTE: As before, I had to manually copy and paste the gio.aquastring.bid
URL into a browser. It did not happen automatically.
Shown above: The gio.aquastring.bid URL redirects to an HTTPS URL.
Shown above: Screenshot of the tech support scam page with the notification pop-up (UK style).
CHECKING AN EITEST-COMPROMISED SITE FROM A LOCATION IN JAPAN
Shown above: Injected script in a page from the compromised site leading to Rig EK.
Shown above: Traffic from the infection filtered in Wireshark.
Shown above: Desktop of an infected Windows host.
INDICATORS
The following are indicators associated with this activity.
- www.intothebluefishing - A site that's been compromised by criminals behind the EITest campaign
- naturalhealthonline.com - Another site that's been compromised by criminals behind the EITest campaign
- 104.18.37.164 port 80 - 462781647864529375896239.win - tech support scam site for the US
- 91.195.102.3 port 80 - gio.aquastring.bid - GET /?biir=news - redirect URL for the UK
- 91.195.102.3 port 443 - wide.bonesboxowersa.info - GET /en/?id=MDgwMCAwODYtOTgyNw - tech support scam site for the UK [HTTPS]
- 888-252-1520 - Toll free phone number for tech support scam in the US
- 0800-086-9827 - Toll free phone number for tech support scam in the UK
- 185.154.53.83 port 80 - art.606kingsplace.com - Rig EK seen on 2017-05-26 at approximately 15:37 UTC
- 178.33.158.0 - 178.33.158.31 (178.33.158.0/27) UDP port 6893 - post-infected traffic from the Cerber-infected host
- 178.33.159.0 - 178.33.159.31 (178.33.159.0/27) UDP port 6893 - post-infected traffic from the Cerber-infected host
- 178.33.160.0 - 178.33.163.255 (178.33.160.0/22) UDP port 6893 - post-infected traffic from the Cerber-infected host
- 104.223.87.60 port 80 - p27dokhpz2n7nvgr.1fgywm.top - HTTP traffic for Cerber decryption instructions on 2017-05-26
- eb0e05dd776b5344542fff83215b51170fea78db10cc340f0553427b5e6de04a - SHA256 hash for Flash exploit used by Rig EK on 2017-05-26
- 79edfa7bbd4b3aadf50c086f1c2d1f67934832b0b9cbf7626675d53c2e15bc39 - SHA256 hash for Cerber ransomware sent by Rig EK from the EITest campaign
- 104.168.188.240 port 80 - shernagarasfmadrasah.edu.bd - GET /who3.php - URL from HoeflerText popup leading to Spora ransomware.
BONUS PICS
Shown above: HoeflerText popup on site compromised by the EITest campaign.
Shown above: Sage ransomware URL (sent as Font_Chrome.exe) from the injected EIText HoflerText script. The URL never returned anything for me, but it
should've been SHA256 hash: 90c171442cb73f258e26b79c026e9e7479457647d1431d5a181be1152195559f.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcaps: 2017-05-26-EITest-pcaps.zip 1.1 MB (1,120,073 bytes)
- ZIP archive of the malware and artifacts: 2017-05-26-EITest-malware-and-artifacts.zip 1.3 MB (1,319,039 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.