Tag: EITest Gate
EITest Gate at 31.184.192.173 Leads to Rig EK at 185.141.25.28 and Drops… ?
IOCs: 66.84.14.125 – orfab.com – Compromised Site 31.184.192.173 – piperandscoot.top – EITest Gate 185.141.25.28 – jxlyv.xajee73.top – Rig EK 185.146.171.131/bt/logout.php – post infection callback traffic Hashes: SHA256: cc21bee629f99e6a5e5b433f593670b2dea4075b6252fb04fd1bfbb40fbf8e80 File name: EITest Flash Redirect.swf SHA256: bf9cda2afc425019312f8c4bc5856ad8378ea980dcd3e195e615224c6777eb5c File name: EITest Gate.html SHA256: c73c63f4b5ebd3ebe7c4de16a99519c876a93c50b12b1a3406c28c2929752d68 File name: RigEK Landing Page.html SHA256: 970491ca792332f3479200c94dddfe7d77112beb0b879d5becb279010860b487 File name: RigEK Flash Exploit.swf Traffic: As ...
EITest Gate at 31.184.193.179 Leads to Rig EK at 185.117.73.220 and Drops What Appears to be Betabot
IOCs: 198.15.70.67 – azarsenalsc[.]org – Compromised Site 31.184.193.179 – aliancaadm.top – EITest Gate 185.117.73.220 – zio11q.oa3ri8.top – Rig EK 103.243.38.25 – b.uandmearertyasport1.com – POST /direct/mail9/order.php – Betabot 103.234.37.4 – GET /rd927.exe – Post infection download 66.55.153.57 – and30.blabladomdom.com – POST /bla30/gate.php 104.223.89.174 – and30.blabladomdom.com – POST /bla30/gate.php 107.155.99.135 – and30.blabladomdom.com – POST /bla30/gate.php Reference for ...
EITest Gate at 31.184.192.188 Leads to RigEK 185.117.73.207 and Drops Vawtrak
IOCs: 31.184.192.188 – kinepolis.top – EITest Gate 185.117.73.207 – culxw0.b28zu4.top – Rig Exploit Kit 108.61.99.79 – GET Requests via direct IP with the following URI pattern – “/module/[32 alphanumeric characters]” Post Infection DNS Queries: 95.46.98.89 – ctwruhwdk.com 95.46.98.89 – apgtsdeh.com 81.177.13.242 – lkfiravihg.com Hashes: SHA256: 74690c93ce0fef0c40c842fba6e3963c15a4d3c02e230000c0eb8da83deb22d8 File name: EITest Flash File.swf SHA256: 013c1c061383c27273398da975230a752487ae914bcc03892df905b859800a19 File name: ...
EITest Gate at 194.165.16.204 Leads to Rig EK at 195.133.201.44 and Drops CryptFile2 Ransomware
IOCs: 184.106.55.122 – deadendbbq[.]com – Compromised Website 194.165.16.204 – nohydyc.top – EITest Gate 195.133.201.44 – rty.exploredowntownwestpalmbeach.com – Rig Exploit Kit 5.39.86.86 – GET /default.jpg 5.39.86.86 – POST /z/setting.php Hashes: SHA256: f0a8452419edab4ad295d9488759f887a37ceeed7a4a0459b07bcf0490736c34 File name: EITest SWF Redirect.swf SHA256: 028df23609481aeaad07f2ab02b934191f0d90930dfee42ab5ccf845dafc44e9 File name: EITest Gate.html SHA256: 896ba2463377dedaa01b1d5a1634db0dc8daac4fed7804e142a7b176cf81377a File name: RigEK Landing Page.html SHA256: b533cff02059e37a312d59ec4e985e4d3d9578853817818e2743a52d9b2b71c6 File name: RigEK SWF ...
EITest Gate at 85.93.0.110 Leads to Rig EK at 178.32.92.122 and Drops Vawtrak
IOCs: 88.208.252.222 – cam-machine.com – Compromised Website 85.93.0.110 – focecu.xyz – EITest Gate 178.32.92.122 – eeuo5tu8.top – Rig EK 108.61.99.79 – GET /module/d1967c99c0c7f9b468f2e08e59e41ffe GET /module/311ac29c5a8f6b4e7a247db98207fd6e GET /module/96df1c84c7fb13e880e399f9627e0db0 GET /module/272a5ad4a1b97a2ac874d6d3e5fff01d GET /module/a104f2955999a2f1a1c881e8930b82f6 Post-Infection DNS Queries resolving to 91.235.129.178: zmluvsfe.com machinabat.pw baltolux.bid twoggis.bid Post-Infection DNS Queries resolving to 185.4.67.154: chanpie.pw zoomir.bid buhnuti.bid wermoo.pw DNS standard query responses ...
EITest Gate at 85.93.0.13 Leads to Rig EK at 109.234.38.67 Which Drops Cerber Ransomware
IOCs: 85.93.0.13 – kavafo.xyz – EITest Gate 109.234.38.67 – qw.thesleepdoctormattress.com – Rig EK 162.250.144.215 – ip-api.com – GET /json – IP Check 115.28.36.224 – http://www.doswf.com – Associated with Rig EK Flash Exploit 91.223.89.201 – Decryptor Site – Associated Files 148.251.6.214 – btc.blockr.io – Associated with BitCoin Information 31.184.234.0/24 and 31.184.235.0/24 via UDP port 6892 Hashes: ...
For the First Time Ever, EITest Gate Leads to Rig EK
IOCs: 85.93.0.12 – epanofap.top – EITest IP/Domain 185.158.152.118 – free.giftofhair.org – Rig EK Hashes: EITest Gate Flash Redirect: 2e562c81b88c1a2061c6aa591c25f90c EITest Gate Landing Page: 859a8994f27d2f9ded7d3aab783d4680 Rig EK Landing Page: 50ad7f7a888954b8a79469f8662864a2 Rig EK Flash Exploit: c6014a32cc06f862ea44db720dfcf553 Rig EK Payload: 7e1622d13f59a7e9f6c0939a2c35ba45 I believe today is the first time that anyone has ever seen the EITest gate leading to a Rig Exploit ...
Update for the EITest Gate
I’ve been following the EITest campaign for a couple months now and I have just recently noticed something different in the traffic. The threat actors are still using compromised sites by injecting them with the same EITest script: The EITest script above causes the host to retrieve a Flash file from EITest gate. However, ...
A Brief History, and a Current Status, of the EITest Campaign
The EITest campaign isn’t anything new. In fact, Jérôme Segura from Malwarebytes wrote a detailed article about the this malware campaign in 2014. What he discovered was that this wasn’t your normal drive-by download as the campaign is using a Flash-based redirection mechanism. Below are three examples of compromised sites that I’ve found in the ...
EITest Gate at 85.93.0.32 Leads to Angler EK at 83.220.169.231
I found these GET requests in our customers traffic: zeboms[.]tk/show_content.php?fgpimk=lrsuk&id=4642B3AD8EB1331F63B111F171C670700DA304E3EFF16822032449944AB075E487805D one.theleadersummit[.]com/boards/viewtopic.php?t=0i3&f=o5aew38bpq8ca58engnpikp4ucvwuef5z9ej1ctm014keykgo-q773pf_ahi58p76yvzpoffylkdqe_-8k4eih0j03n2t-i1y Unfortunately for our analyst we don’t always get packets so we can’t easily locate the referer in every case. Typically the GET request for the compromised site is in the traffic surrounding the event. As you can see from the HTTP requests surrounding the ...
Malware breakdown 