EiTest campaign Hoefler Text Pop-up delivers NetSupport Manager RAT

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2018-01-18-EiTest-Hoefler-Text-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • www.briceinc.com – COMPROMISED SITE
  • 93.113.174.144 – clinicalpsychology.psiedu.ubbcluj.ro GET /los.php – DOWNLOADER FOR NETSUPPORT RAT
  • 5.188.60.6 – GET /net7/7za.exe – NETSUPPORT MANAGER RAT
  • 5.188.60.6 – GET /net7/get.php – POST INFECT TRAFFIC
  • 5.188.60.6 – GET /net7/Upd.cmd – POST INFECT TRAFFIC
  • 46.19.142.178 – POST http://46.19.142.178/fakeurl.htm – C2 TRAFFIC

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic associated with the EiTest campaign and Hoefler Text pop-up leading to NetSupport  Manager RAT

 

Shown above: Injected script found on compromised site associated with the EiTest campaign

 

Shown above: First pop-up associated with Hoefler Text fake font

 

Shown above: Downloader associated with NetSupport Manager RAT downloaded from  clinicalpsychology.psiedu.ubbcluj.ro

 

Shown above: Post infection C2 traffic associated with NetSupport Manager RAT

 

MALICIOUS PAYLOAD ASSOCIATED EITEST CAMPAIGN:

2018-01-18-Font_update.exe – Downloader for NetSupport RAT
VirusTotal Link