EiTest campaign Hoefler Text Pop-up delivers NetSupport Manager RAT

Mar 08, 2018 by Analysis in EITEST

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2018-03-07-Hoefler-Text-pcap.zip

ASSOCIATED DOMAINS AND IP ADDRESSES:

gloryscoop.com – COMPROMISED SITE
143.95.250.182 – almanhukuku.ozyegin.edu.tr GET /indexaa.php– DOWNLOADER FOR NETSUPPORT MANAGER RAT
31.31.196.204 – printscreens.info – NETSUPPORT MANAGER RAT POST INFECT TRAFFIC
94.242.198.167 Port 1488 – POST http://94.242.198.167/fakeurl.htm – NETSUPPORT MANAGER RAT POST INFECT TRAFFIC

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic associated with the EiTest campaign and Hoefler Text pop-up leading to NetSupport Manager RAT

Shown above: Pop-up associated with Hoefler Text fake font

Shown above: Injected script found on compromised site redirecting to almanhukuku.ozyegin.edu.tr

MALICIOUS PAYLOAD ASSOCIATED WITH EITEST CAMPAIGN:

Font update.exe – NETSUPPORT RAT DOWNLOADER
SHA-256: 5d1b1fdbad9d99374c767131e3edecd94653ea5d5d5ce83cb9cf89d30a0d48b8
VirusTotal Link

Tagged with: Fake Flash, HoeflerText, Malware analysis, Malware Research, NetSupport Manager RAT, New York