2017-05-30 - EITEST CAMPAIGN PUSHING TECH SUPPORT SCAMS, RIG EK, HOEFLERTEXT POPUPS

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2017-05-30-EITest-pcaps.zip   1.3 MB (1,328,018 bytes)

• 2017-05-29-EITest-script-for-tech-scam-after-amormariano.com.br-UK-based-traffic.pcap   (472,332 bytes)
• 2017-05-30-EITest-script-for-tech-scam-after-amormariano.com.br-US-based-traffic-1st-run.pcap   (898,744 bytes)
• 2017-05-30-EITest-script-for-tech-scam-after-amormariano.com.br-US-based-traffic-2nd-run.pcap   (883,541 bytes)

• ZIP archive of the malware and artifacts:  2017-05-30-EITest-artifacts.zip   718 kB (718,043 bytes)

• 2017-05-29-page-from-amormariano.com.br-with-injected-EITest-script-for-tech-support-scam-UK.txt   (237,041 bytes)
• 2017-05-29-tech-support-scam-page-UK.mp3   (164,773 bytes)
• 2017-05-29-tech-support-scam-page-UK.txt   (45,831 bytes)
• 2017-05-30-page-from-amormariano.com.br-with-injected-EITest-script-for-tech-support-scam-US-1st-run.txt   (237,019 bytes)
• 2017-05-30-page-from-amormariano.com.br-with-injected-EITest-script-for-tech-support-scam-US-2nd-run.txt   (237,018 bytes)
• 2017-05-30-tech-support-scam-page-US.mp3   (589,824 bytes)
• 2017-05-30-tech-support-scam-page-US.txt   (4,978 bytes)

 

NOTES:

• Another entry in my follow-up research after a blog post by @nao_sec titled: New EITest's Cloaking

• Still seeing EITest script for HoeflerText, but no follow-up Spora ransomware.
• I almost had an example of EITest script leading to Rig EK, but I accidentally recorded over the pcap before saving it.
• The EITest Rig EK sent Kovter while I was operating from a United States IP address
• The compromised website also had injected script for the US tech support scam (see "other pics" section below).
• Unfortunately, I was unable to replicate the traffic for EITest Rig EK.

Shown above:  Updated my chart, because I saw EITest Rig EK while operating from a US location as my source IP address.

 

CHECKING AN EITEST-COMPROMISED SITE FROM A LOCATION IN THE UNITED STATES (US)

Shown above:  Example of injected script in a page from the compromised website  The highlighted URL leads to a tech support scam page.

 

Shown above:  Examples of the traffic filtered in Wireshark.

 

Shown above:  Screenshot of the tech support scam page (US style).  New phone number today.

 

Shown above:  Screenshot of the tech support scam page with the notification pop-up (US style).

 

CHECKING AN EITEST-COMPROMISED SITE FROM A LOCATION IN THE UNITED KINGDOM (UK)

Shown above:  Injected script in a page from the compromised website.  The highlighted URL leads to a tech support scam page.

 

Shown above:  Traffic filtered in Wireshark.  NOTE: As before, I had to manually copy and paste the gio.aquastring.bid
URL into a browser.  It did not happen automatically.

 

Shown above:  The gio.zenoricher.bid URL redirects to an HTTPS URL.

 

Shown above:  Screenshot of the tech support scam page (UK style).

 

Shown above:  Screenshot of the tech support scam page with the notification pop-up (UK style).

 

INDICATORS

The following are indicators associated with this activity.

• www.amormariano.com.br   -   A site that's been compromised by criminals behind the EITest campaign
• naturalhealthonline.com   -   Another site that's been compromised by criminals behind the EITest campaign

• 104.18.52.141 port 80 - 547566458877948786467.win   -   tech support scam site for the US (1st run)
• 104.28.30.167 port 80 - 14567996453586879.review   -   tech support scam site for the US (2nd run)

• 91.195.102.3 port 80 - gio.zenoricher.bid - GET /?fnerr=news   -   redirect URL for the UK
• 91.195.102.3 port 443 - wide.gersaqertopove.info - GET /en/?id=MDgwMCAwODYtOTgyNw   -   tech support scam site for the UK   [HTTPS]

• 888-359-4379 - Toll free phone number for tech support scam in the US
• 0800-086-9827 - Toll free phone number for tech support scam in the UK

• 174.138.74.148 port 80 - investigacion.ujcm.edu.pe - GET /who3.php   -   URL from HoeflerText popup leading to Spora ransomware.

 

OTHER PICS

Shown above:  An example of the HoeflerText popup on a site compromised by the EITest campaign.  No binary (Font_Chrome.exe or otherwise) was returned.

 

Shown above:  This is the type of injected EITest script I saw, where I accidentally recorded over the pcap.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2017-05-30-EITest-pcaps.zip   1.3 MB (1,328,018 bytes)
• ZIP archive of the malware and artifacts:  2017-05-30-EITest-artifacts.zip   718 kB (718,043 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.