Malware-Traffic-Analysis.net - 2017-04-18 - EITest campaign: Rig EK or HoeflerText Chrome popup

2017-04-18 - EITEST CAMPAIGN: RIG EK OR HOEFLERTEXT CHROME POPUP

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2017-04-18-EITest-activity-2-pcaps.zip 22.4 MB (22,439,110 bytes)

2017-04-18-EITest-HoeflerText-popup-traffic.pcap (287,204 bytes)

2017-04-18-EITest-Rig-EK-traffic.pcap (23,828,777 bytes)

2017-04-18-EITest-malware-and-artifacts.zip 541.7 kB (541,682 bytes)

2017-04-18-Rig-EK-artifact-o32.tmp.txt (1,141 bytes)

2017-04-18-Rig-EK-flash-exploit.swf (19,249 bytes)

2017-04-18-Rig-EK-landing-page.txt (57,665 bytes)

2017-04-18-Rig-EK-payload-Quant-Loader.exe (303,104 bytes)

2017-04-18-Rig-EK-post-infection-follow-up-malware-ZLoader.exe (327,680 bytes)

2017-04-18-Spora-ransomware-decryption-instructions.html (12,320 bytes)

2017-04-18-Spora-ransomware-from-HoeflerText-popup.exe (106,496 bytes)

2017-04-18-page-from-serialeshqip_com-with-injected-EITest-script-for-HoeflerText-popup.txt (137,760 bytes)

2017-04-18-page-from-serialeshqip_com-with-injected-EITest-script-for-Rig-EK.txt (91,761 bytes)

BACKGROUND ON THE EITEST CAMPAIGN:

Although the EITest campaign still uses exploit kits (EKs), this actor added HoeflerText popups to its arsenal in January 2017.
Kafeine wrote about these HoeflerText popups for the Proofpoint Blog. His write-up is here.
My most recent write-up on the EITest campaign using Rig EK can be found here at the Palo Alto Networks Blog.
The flowchart below should explain the chain of events for EITest.

NOTES:

As always, thanks to @nao_sec for routinely tweeting about compromised websites. I used that info to generate traffic for this blog post.

Shown above: Flowchart for this infection traffic.

TRAFFIC

Shown above: EITest HoeflerText popup traffic when compromised site is viewed using Google Chrome.

Shown above: EITest Rig EK traffic when compromised site is viewed using Internet Explorer.

ASSOCIATED DOMAINS:

serialeshqip[.]com - compromised site (viewed in Google Chrome)
207.62.63[.]149 port 80 - elearning.lamission[.]edu - GET /nw.php - Spora ransomware download
186.2.161[.]51 port 80 - torifyme[.]com - POST / - Spora ransomware decryption site
186.2.161[.]51 port 80 - torifyme[.]com - GET / - Spora ransomware decryption site

serialeshqip[.]com - compromised site (viewed in Internet Explorer)
92.53.104[.]104 port 80 - new.5efinance[.]com - Rig EK
51.141.33[.]47 port 80 - unisdr[.]top - post-infection traffic
51.141.33[.]47 port 80 - trackerhost[.]us - post-infection traffic
51.141.33[.]47 port 80 - gerber[.]gdn - post-infection traffic
Various IP addresses on TCP port 443 and 9001 - various domains - Tor traffic
DNS query for corpconor-daily[.]pw (response: No such name)
DNS query for sorrycorpmail[.]site (response: No such name)

FILE HASHES

SPORA RANSOMWARE FROM HOEFLERTEXT POPUP:

SHA256 hash: bab239409230dac6733cd1492b154dbdd83e2dffc38e4d95bafdec98554c11ab
File name: Chrome Font.exe (with non-ASCII characters for some of the letters)
File description Spora ransomware from EITest campaign HoeflerText popup on 2017-04-18

ARTIFACTS FROM RIG EK:

SHA256 hash: d244bc6e7c25a4139b2e00419c6482ff18f1f7952db8647bd230b75ec9b5b942
File description Rig EK Flash exploit seen on 2017-04-18

SHA256 hash: ee3e3ace2e19132370e3981bef3698264de00f0ce545f667f23558ecf379d100
File description Rig EK payload from the EITest campaign on 2017-04-18 (Quant Loader)

SHA256 hash: b76270a461dd7cc1a218f477cff7f225f5321f31f49c13f9118d06eb1008deef
File description Follow-up malware after EITest Rig EK infection on 2017-04-18 (Zloader/DELoader)

IMAGES

Shown above: When using Chrome, we see a HoeflerText popup from the compromised website.

Shown above: Clicking the download link from HoeflerText popup.

Shown above: Spora ransomware decryption instructions.

Shown above: Spora decryption site.

Click here to return to the main page.