2017-02-04 - EITEST FAKE CHROME POPUP LEADS TO SPORA RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-02-04-EITest-fake-Chrome-popup-leads-to-Spora-ransomware-2-pcaps.zip   480.3 kB (480,277 bytes)

• 2017-02-03-EITest-fake-Chrome-popup-leads-to-Spora-ransomware.pcap   (389,510 bytes)
• 2017-02-04-EITest-fake-Chrome-popup-leads-to-Spora-ransomware.pcap   (329,387 bytes)

• 2017-02-04-EITest-artifacts-and-Spora-ransomware.zip   365.0 kB (365,010 bytes)

• 2017-02-03-page-from-holinergroup_com-with-injected-script.txt   (110,374 bytes)
• 2017-02-03-Spora-ransomware-Chrome_Font_v8.65.exe   (196,608 bytes)
• 2017-02-04-page-from-holinergroup_com-with-injected-script.txt   (110,332 bytes)
• 2017-02-04-Spora-ransomware-Chrome_Font_v5.92.exe   (196,608 bytes)

BACKGROUND ON EITEST FAKE CHROME POPUPS:

• 2017-01-17 - Kafeine at Proofpoint published a writeup about this:  EITest Nabbing Chrome Users with a "Chrome Font" Social Engineering Scheme.

BACKGROUND ON SPORA RANSOMWARE:

• BleepingComputer published a good write-up on Spora shortly after it first appeared (link).

OTHER NOTES:

• Thanks to @killamjr for tweeting about the compromised website.

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Start of injected script from the EITest campaign from a page from the compromised site.

 

Shown above:  End of of injected script from the EITest campaign from a page from the compromised site.

 

Shown above:  Pcap of the infection traffic filtered in Wireshark (1st run).

 

Shown above:  Pcap of the infection traffic filtered in Wireshark (2nd run).

 

ASSOCIATED DOMAINS:

• holinergroup[.]com - Compromised site
• 66.135.60[.]199 port 80 - nichedominator[.]roger - POST /go.php   [URL from injected script to download the malware, 1st run]
• 213.163.76[.]143 port 80 - fitsz[.]nl - POST /go.php   [URL from injected script to download the malware, 2nd run]
• 186.2.163[.]47 port 443 - spora[.]biz - Spora decryption site

 

FILE HASHES

SPORA RANSOMWARE:

• SHA256 hash:  9f2f3a8156c10b6e0185ceb0b4da2a16ada79af54f072199e8cea42a09a873cd   (196,608 bytes)
  File name:  Chrome_Font_v8.65exe
  File name:  Chrome_Font_v5.92exe
  File description:  Spora ransomware from the EITest campaign seen on 2017-02-03 and 2017-02-04

 

IMAGES

Shown above:  Popup within Chrome when viewing the compromised website (image 1 of 2).

 

Shown above:  Popup within Chrome when viewing the compromised website (image 2 of 2).

 

Shown above:  Spora decryption instructions from the HTML file dropped to the Desktop.

 

Shown above:  Spora decryption site at spora.biz.

 

Click here to return to the main page.