2017-05-30 - EITEST CAMPAIGN PUSHING TECH SUPPORT SCAMS, RIG EK, HOEFLERTEXT POPUPS
ASSOCIATED FILES:
- ZIP archive of the pcaps: 2017-05-30-EITest-pcaps.zip 1.3 MB (1,328,018 bytes)
- 2017-05-29-EITest-script-for-tech-scam-after-amormariano.com.br-UK-based-traffic.pcap (472,332 bytes)
- 2017-05-30-EITest-script-for-tech-scam-after-amormariano.com.br-US-based-traffic-1st-run.pcap (898,744 bytes)
- 2017-05-30-EITest-script-for-tech-scam-after-amormariano.com.br-US-based-traffic-2nd-run.pcap (883,541 bytes)
- ZIP archive of the malware and artifacts: 2017-05-30-EITest-artifacts.zip 718 kB (718,043 bytes)
- 2017-05-29-page-from-amormariano.com.br-with-injected-EITest-script-for-tech-support-scam-UK.txt (237,041 bytes)
- 2017-05-29-tech-support-scam-page-UK.mp3 (164,773 bytes)
- 2017-05-29-tech-support-scam-page-UK.txt (45,831 bytes)
- 2017-05-30-page-from-amormariano.com.br-with-injected-EITest-script-for-tech-support-scam-US-1st-run.txt (237,019 bytes)
- 2017-05-30-page-from-amormariano.com.br-with-injected-EITest-script-for-tech-support-scam-US-2nd-run.txt (237,018 bytes)
- 2017-05-30-tech-support-scam-page-US.mp3 (589,824 bytes)
- 2017-05-30-tech-support-scam-page-US.txt (4,978 bytes)
NOTES:
- Another entry in my follow-up research after a blog post by @nao_sec titled: New EITest's Cloaking
- Still seeing EITest script for HoeflerText, but no follow-up Spora ransomware.
- I almost had an example of EITest script leading to Rig EK, but I accidentally recorded over the pcap before saving it.
- The EITest Rig EK sent Kovter while I was operating from a United States IP address
- The compromised website also had injected script for the US tech support scam (see "other pics" section below).
- Unfortunately, I was unable to replicate the traffic for EITest Rig EK.
Shown above: Updated my chart, because I saw EITest Rig EK while operating from a US location as my source IP address.
CHECKING AN EITEST-COMPROMISED SITE FROM A LOCATION IN THE UNITED STATES (US)
Shown above: Example of injected script in a page from the compromised website The highlighted URL leads to a tech support scam page.
Shown above: Examples of the traffic filtered in Wireshark.
Shown above: Screenshot of the tech support scam page (US style). New phone number today.
Shown above: Screenshot of the tech support scam page with the notification pop-up (US style).
CHECKING AN EITEST-COMPROMISED SITE FROM A LOCATION IN THE UNITED KINGDOM (UK)
Shown above: Injected script in a page from the compromised website. The highlighted URL leads to a tech support scam page.
Shown above: Traffic filtered in Wireshark. NOTE: As before, I had to manually copy and paste the gio.aquastring.bid
URL into a browser. It did not happen automatically.
Shown above: The gio.zenoricher.bid URL redirects to an HTTPS URL.
Shown above: Screenshot of the tech support scam page (UK style).
Shown above: Screenshot of the tech support scam page with the notification pop-up (UK style).
INDICATORS
The following are indicators associated with this activity.
- www.amormariano.com.br - A site that's been compromised by criminals behind the EITest campaign
- naturalhealthonline.com - Another site that's been compromised by criminals behind the EITest campaign
- 104.18.52.141 port 80 - 547566458877948786467.win - tech support scam site for the US (1st run)
- 104.28.30.167 port 80 - 14567996453586879.review - tech support scam site for the US (2nd run)
- 91.195.102.3 port 80 - gio.zenoricher.bid - GET /?fnerr=news - redirect URL for the UK
- 91.195.102.3 port 443 - wide.gersaqertopove.info - GET /en/?id=MDgwMCAwODYtOTgyNw - tech support scam site for the UK [HTTPS]
- 888-359-4379 - Toll free phone number for tech support scam in the US
- 0800-086-9827 - Toll free phone number for tech support scam in the UK
- 174.138.74.148 port 80 - investigacion.ujcm.edu.pe - GET /who3.php - URL from HoeflerText popup leading to Spora ransomware.
OTHER PICS
Shown above: An example of the HoeflerText popup on a site compromised by the EITest campaign. No binary (Font_Chrome.exe or otherwise) was returned.
Shown above: This is the type of injected EITest script I saw, where I accidentally recorded over the pcap.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcaps: 2017-05-30-EITest-pcaps.zip 1.3 MB (1,328,018 bytes)
- ZIP archive of the malware and artifacts: 2017-05-30-EITest-artifacts.zip 718 kB (718,043 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.