EiTest campaign Hoefler Text Pop-up delivers NetSupport Manager RAT

Feb 24, 2018 by Analysis in EITEST

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2018-02-23-EITest-Hoefler-Text-pcap.zip

ASSOCIATED DOMAINS AND IP ADDRESSES:

zaremedspa.com – COMPROMISED SITE
91.211.112.101 – teleduck.de GET /index_3.php – DOWNLOADER FOR NETSUPPORT MANAGER RAT
31.31.196.204 Port 443 – printscreens.info – NETSUPPORT MANAGER RAT POST INFECT TRAFFIC
94.242.198.167 Port 1488 – ebalodauna1488.com POST http://94.242.198.167/fakeurl.htm – NETSUPPORT MANAGER RAT POST INFECT TRAFFIC

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic associated with the EiTest campaign and Hoefler Text pop-up leading to NetSupport Manager RAT

Shown above: DNS traffic associated with the EiTest campaign and Hoefler Text pop-up leading to NetSupport Manager RAT

Shown above: First pop-up associated with Hoefler Text fake font

Shown above: Downloader associated with NetSupport Manager RAT downloaded from teleduck.de /index_3.php

MALICIOUS PAYLOAD ASSOCIATED WITH EITEST CAMPAIGN:

Font_update.exe – NETSUPPORT RAT DOWNLOADER
SHA-256 Hash: 9e23d5b5ccfd47ffb28b4a2a3ef96a93b1b595893022ad564c29c6cdc8e9f39f
Virus Total Link
q.js – JavaScript used to download NETSUPPORT RAT
C:\Users\USERNAME\AppData\Local\Temp
SHA-256 Hash: c9aef58c5a639778b2f83495d30a4a9466d79e70b2d089cffb9e1974d335b4ed
Virus Total Link
client32.exe – NETSUPPORT CLIENT
C:\Users\USERNAME\AppData\Roaming\Dom
SHA-256 Hash: c9aef58c5a639778b2f83495d30a4a9466d79e70b2d089cffb9e1974d335b4ed
Virus Total Link

Tagged with: Cyber Security, Cybersecurity, Fake Font Pack, HoeflerText, Indicator's of Compromise, IOC's, Malware analysis, Malware Research