85.93.0.32 – EITest Gate
SHA256 1384b089c4524dd996a60f58ca1465bf89cd8f39e2711846ea394f14c4c87913
The following traffic was found on one of our customers networks:
- sss.isguynormanbanned[.]com/viewstory.php?id=4F5AB7B499B42D1D63B31CF171C670700DAF07FEFFE37C331C6F5A884
- money.onlinepropertyshopping[.]com/boards/index.php?PHPSESSID=ug4-&action=j4gwfamzza_lnaj4sjj12f_daug4
Just by looking at these requests I could tell one was a gate and the other an EK. However, I didn’t know the referer for the redirect as we don’t always get packets.
After searching surrounding HTTP traffic I noticed a lot of URLs containing “Solid” and “Works”. I narrowed down my search to a couple suspicious domains and began looking through the HTML code. I eventually found the site responsible for the redirect:
solidapps.co[.]uk/blog/tag/solidworks-world-2017/
Below is the injected script from 2/11/16:
Making a request to the site caused the following Sguil alerts:
Following the TCP stream I could see a request for the flash redirector:
Submitting the file to VirusTotal shows it has pretty good detection with a ratio of 12/54 for Trojan:SWF/EITest.A.
My VM wasn’t redirected to a EK landing page this time but here you can see the script on the gate:
Some other things to note are that 3 other host redirected to the EITest gate from the following URIs on the same day:
extendoffice[.]com/documents/excel/2765-excel-combine-cells-keep-formatting.html
extendoffice[.]com/documents/excel/1578-excel-copy-and-paste-only-non-blank-cells.html
extendoffice[.]com/documents/excel/771-excel-fill-blank-cells-with-value-above.html
Lastly, doing a query of DNS records for the gate shows how active these threat actors have been in recent weeks:
Malware breakdown 