EiTest campaign Hoefler Text Pop-up delivers GandCrab Ransomware and Fake AV Alert

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2018-02-06-Hoefler-Text-pcap.zip
2018-02-06-Fake-AV-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES [HOEFLER TEXT]:

  • www.galwayairport.com – COMPROMISED SITE
  • 5.154.176.204 – shopreduceri.ro GET /index_3.php – GANDCRAB RANSOMWARE
  • 66.171.248.178 – nomoreransom.coin – IP ADDRESS CHECK
  • 151.248.118.75 – nomoreransom.coin POST /curl.php?token=1027 – RANSOMWARE CHECK-IN
  • 80.67.3.122 – gdcbghvjyqy7jclk.onion.top – RANSOMWARE PAYMENT

 

ASSOCIATED DOMAINS AND IP ADDRESSES [FAKE AV ALERT]:

  • www.galwayairport.com – COMPROMISED SITE
  • 204.155.28.5 – setupupdate.bid GET /index/?MCPKV8 – REDIRECT TO FAKE AV PAGE
  • 185.159.83.47 – fatheris.tk GET /?number=800-801-7934 – FAKE AV PAGE

 

IMAGES AND DETAILS OF INFECTION CHAIN [HOEFLER TEXT]:

Shown above: Network traffic associated with the EiTest campaign and Hoefler Text pop-up leading to GandCrab ransomware

 

Shown above: GandCrab ransomware downloaded from shopreduceri.ro

 

Shown above: GandCrab ransomware download after being referred by compromised site.  I was unable to capture the injected script on the compromised site due to the page being cached by the browser on a previous attempt at infection.

Tip: Don’t forget to clear your browser’s cache!

 

IMAGES AND DETAILS OF INFECTION CHAIN [FAKE AV ALERT]:

Shown above: Network traffic associated with the EiTest campaign and the fake virus alert tech support scam

 

Shown above: Injected script found on compromised site redirect to the fake virus alert tech support page

 

Shown above: Redirect and pop-up associated with the EiTest campaign and the fake virus alert tech support scam

 

MALICIOUS PAYLOAD ASSOCIATED WITH EITEST CAMPAIGN:

2018-02-01-Font_update.exe – GandCrab Ransomware
VirusTotal Link