EiTest campaign Hoefler Text Pop-up delivers NetSupport Manager RAT

Jan 25, 2018 by Analysis in EITEST

Thanks to @thlnk3r for sharing information on compromised site.

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2018-01-25-Hoefler-Text-pcap.zip

ASSOCIATED DOMAINS AND IP ADDRESSES:

big4accountingfirms.org – COMPROMISED SITE
212.1.208.53 – www.liceobelgrano.edu.ar GET /index_2.php – DOWNLOADER FOR NETSUPPORT RAT
46.19.142.178 Port 2259 – POST http://46.19.142.178/fakeurl.htm – C2 TRAFFIC

TRAFFIC OBSERVED ON 2018-01-24:

91.211.112.101 – teleduck.de GET /index_2.php – DOWNLOADER FOR NETSUPPORT RAT
46.19.142.178 Port 2259 – POST http://46.19.142.178/fakeurl.htm – C2 TRAFFIC

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic associated with the EiTest campaign and Hoefler Text pop-up leading to NetSupport Manager RAT observed 2018-01-25

Shown above: Network traffic associated with the EiTest campaign and Hoefler Text pop-up leading to NetSupport Manager RAT observed 2018-01-24

Shown above: Injected script found on compromised site associated with the EiTest campaign

Shown above: First pop-up associated with Hoefler Text fake font

Shown above: Downloader associated with NetSupport Manager RAT downloaded from www.liceobelgrano.edu.ar

MALICIOUS PAYLOAD ASSOCIATED WITH EITEST CAMPAIGN:

2018-01-25-Font_update.exe – Downloader for NetSupport RAT
VirusTotal Link
2018-01-24-Font_update.exe – Downloader for NetSupport RAT
VirusTotal Link

Tagged with: Albany NY, Cyber Security, Cybersecurity, Fake Font, HoeflerText, Indicator's of Compromise, IOC's, Malware analysis, Malware Research, New York