EITest Campaign at

IOCs: – EITest Gate
SHA256 1384b089c4524dd996a60f58ca1465bf89cd8f39e2711846ea394f14c4c87913
This isn’t going to be an extensive look into the EITest Campaign as Brad from Malware-traffic-analysis.net has already done great work on this subject. You can also check on my post here for more details. It is more or less an update in some activity I’ve been seeing lately.


The following traffic was found on one of our customers networks:

  • sss.isguynormanbanned[.]com/viewstory.php?id=4F5AB7B499B42D1D63B31CF171C670700DAF07FEFFE37C331C6F5A884
  • money.onlinepropertyshopping[.]com/boards/index.php?PHPSESSID=ug4-&action=j4gwfamzza_lnaj4sjj12f_daug4

Just by looking at these requests I could tell one was a gate and the other an EK. However, I didn’t know the referer for the redirect as we don’t always get packets.

After searching surrounding HTTP traffic I noticed a lot of URLs containing “Solid” and “Works”. I narrowed down my search to a couple suspicious domains and began looking through the HTML code. I eventually found the site responsible for the redirect:


Below is the injected script from 2/11/16:

Making a request to the site caused the following Sguil alerts:

Following the TCP stream I could see a request for the flash redirector:

Submitting the file to VirusTotal shows it has pretty good detection with a ratio of 12/54 for Trojan:SWF/EITest.A.

My VM wasn’t redirected to a EK landing page this time but here you can see the script on the gate:

Some other things to note are that 3 other host redirected to the EITest gate from the following URIs on the same day:


Lastly, doing a query of DNS records for the gate shows how active these threat actors have been in recent weeks:

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: