EiTest campaign Hoefler Text Pop-up delivers NetSupport Manager RAT

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2018-03-10-Hoefler-Text-Fake-Font-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • www.b9dental.com – COMPROMISED SITE
  • 203.113.244.90 – byod.mcclellandcollege.vic.edu.au GET /indexi.php – DOWNLOADER FOR NETSUPPORT MANAGER RAT
  • 31.31.196.204 Port 1488 – printscreens.info – NETSUPPORT MANAGER RAT POST INFECT TRAFFIC
  • 94.242.198.167 Port 1488 – ebalodauna1488.com POST http://94.242.198.167/fakeurl.htm – NETSUPPORT MANAGER RAT POST INFECT TRAFFIC

 

Shown above: Network traffic associated with the EiTest campaign and Hoefler Text fake font pop-up leading to NetSupport  Manager RAT

 

Shown above: DNS traffic associated with the EiTest campaign and Hoefler Text fake font pop-up leading to NetSupport  Manager RAT

 

Shown above:  Injected script found on compromised site

 

Shown above: First pop-up associated with Hoefler Text fake font

 

Shown above: Downloader associated with NetSupport Manager RAT downloaded from byod.mcclellandcollege.vic.edu.au

 

MALICIOUS PAYLOAD ASSOCIATED WITH EITEST CAMPAIGN:

Font update.exe – NETSUPPORT RAT DOWNLOADER
SHA-256: a64b41d4cd8cf971f91901578552c1e6aefe955485b3ded858c75c7bb0784496
VirusTotal Link