EiTest campaign via HoeflerText popup delivers malware

Thanks to @KylianXAnalyst for sharing compromised site on twitter.

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-10-26-EiTest-HoeflerText-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • emaxmm.com – Compromise website
  • 37.139.5.191 – POST /sites/default/files/down/download.php – Redirect to Zip download
  • 49.50.76.228 – www.surplusbrand.com/system/download/download.php/ – Hosting zip file containing javascript
  • 37.139.5.191 – GET /sites/default/files/brown.exe – Malware download
  • 168.235.69.27 – lxlxcripicrewbrothrzlxlx.ru – POST / – Post infection traffic

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the EiTest campaign via  HoeflerText popup and the delivery of malware

 

Shown above: Malware installs TeamViewer on infected host

 

Shown above: Fake HoeflerText popup with link to zip file containing a malicious java-script

 

Shown above: Fake Flash player zip file containing malicious java-script

 

Shown above: Redirect to malicious payload hosted on https site

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:

Follow on Twitter @broadanalysis