{ "Event": { "analysis": "2", "date": "2017-01-26", "extends_uuid": "", "info": "OSINT - EITest Nabbing Chrome Users with a \u00e2\u20ac\u0153Chrome Font\u00e2\u20ac\u009d Social Engineering Scheme", "publish_timestamp": "1485467854", "published": true, "threat_level_id": "3", "timestamp": "1485467665", "uuid": "588a6de9-e2f4-4fbc-b09d-427f02de0b81", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#001cad", "local": false, "name": "estimative-language:likelihood-probability=\"very-likely\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1485467532", "to_ids": false, "type": "text", "uuid": "588a6dfd-19b8-44c8-b297-4f2002de0b81", "value": "\u00e2\u20ac\u0153EITest\u00e2\u20ac\u009d is a well-documented infection chain that generally relies on compromised websites to direct users to exploit kit (EK) landing pages. EITest has been involved in the delivery of a variety of ransomware, information stealers, and other malware, with clear evidence of its use dating back to 2014. Elements of EITest may be much older, though, with hints pointing to EITest being an evolution of the \u00e2\u20ac\u0153Glazunov\u00e2\u20ac\u009d infection chain from 2011 [1]. The first server side documentation of this evolution came from Sucuri in July 2014 [2] associated with waves of Wordpress exploitation via the MailPoet plugin vulnerability. KahuSecurity recently analyzed the server side script in October 2016 [3].", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1485467523", "to_ids": false, "type": "link", "uuid": "588a6e0b-3338-442b-8f7f-4c5802de0b81", "value": "https://www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Fleercivet C&C", "deleted": false, "disable_correlation": false, "timestamp": "1485467183", "to_ids": true, "type": "ip-dst", "uuid": "588a6e2f-3b0c-4d91-a1fe-4e9002de0b81", "value": "198.37.112.248" }, { "category": "Payload delivery", "comment": "Server initiating Fleercivet Fraud Scheme (potentially legitimate)", "deleted": false, "disable_correlation": false, "timestamp": "1485467184", "to_ids": true, "type": "filename", "uuid": "588a6e30-685c-41ed-9ec3-454802de0b81", "value": "searchtopresults.com|209.126.122.139" }, { "category": "Network activity", "comment": "Initial Call before Fleercivet clickfraud", "deleted": false, "disable_correlation": false, "timestamp": "1485467185", "to_ids": true, "type": "url", "uuid": "588a6e31-83cc-43f7-8097-4dc702de0b81", "value": "searchtopresults.com/search.php?aff=8320" }, { "category": "Network activity", "comment": "Later Call tied to Fleercivet activity", "deleted": false, "disable_correlation": false, "timestamp": "1485467185", "to_ids": true, "type": "url", "uuid": "588a6e31-fff8-407a-bc77-448e02de0b81", "value": "searchtopresults.com/search.php?aff=8170&saff=1203" }, { "category": "Payload delivery", "comment": "Fiddler capture (index and post)", "deleted": false, "disable_correlation": false, "timestamp": "1485467196", "to_ids": true, "type": "sha256", "uuid": "588a6e3c-f8cc-4b96-97e0-4dd802de0b81", "value": "7a444891c642ec17459471be40bcc1ea9eef6aeb478318a679908f94bf1e7e74" }, { "category": "Network activity", "comment": "2014-07-14 - Early \u00e2\u20ac\u0153flash redirecting\u00e2\u20ac\u009d EITest Domain", "deleted": false, "disable_correlation": false, "timestamp": "1485467252", "to_ids": true, "type": "ip-dst", "uuid": "588a6e74-1650-4d05-9d6c-425502de0b81", "value": "48.251.102.176" }, { "category": "Network activity", "comment": "2014-07-14 - Early \u00e2\u20ac\u0153flash redirecting\u00e2\u20ac\u009d EITest Domain", "deleted": false, "disable_correlation": false, "timestamp": "1485467277", "to_ids": true, "type": "domain", "uuid": "588a6e8d-6b48-4294-9a19-43b202de0b81", "value": "vidvi.cf" }, { "category": "Network activity", "comment": "EITest node replying to Compromised Server", "deleted": false, "disable_correlation": false, "timestamp": "1485467290", "to_ids": true, "type": "ip-dst", "uuid": "588a6e9a-75e8-4fbf-bd55-427202de0b81", "value": "31.184.192.163" }, { "category": "Network activity", "comment": "EITest node replying to Compromised Server", "deleted": false, "disable_correlation": false, "timestamp": "1485467323", "to_ids": true, "type": "domain", "uuid": "588a6ebb-28e4-481f-9e5b-496602de0b81", "value": "54dfa1cb.com" }, { "category": "Network activity", "comment": "EITest node replying to Compromised Server", "deleted": false, "disable_correlation": false, "timestamp": "1485467324", "to_ids": true, "type": "domain", "uuid": "588a6ebc-2270-4929-9c16-42d102de0b81", "value": "e5b57288.com" }, { "category": "Network activity", "comment": "EITest node replying to Compromised Server", "deleted": false, "disable_correlation": false, "timestamp": "1485467324", "to_ids": true, "type": "domain", "uuid": "588a6ebc-9c9c-4d54-b445-40d702de0b81", "value": "33db9538.com" }, { "category": "Network activity", "comment": "EITest node replying to Compromised Server", "deleted": false, "disable_correlation": false, "timestamp": "1485467325", "to_ids": true, "type": "domain", "uuid": "588a6ebd-1900-4657-8b7a-481802de0b81", "value": "9507c4e8.com" }, { "category": "Payload delivery", "comment": "FleerCivet 2017-01-15", "deleted": false, "disable_correlation": false, "timestamp": "1485467355", "to_ids": true, "type": "sha256", "uuid": "588a6edb-e2ec-49c0-8ea7-215902de0b81", "value": "7fc9721cc648de138a61ec3452d63a83fc76ef527d41f4a7aba78f52df13338a" }, { "category": "Payload delivery", "comment": "FleerCivet 2017-01-15", "deleted": false, "disable_correlation": false, "timestamp": "1485467356", "to_ids": true, "type": "sha256", "uuid": "588a6edc-657c-46f4-90de-215902de0b81", "value": "7bb7848270e76aa1fcb9d11acb46c8421b86c7d528c108d8f179ec829ff977fc" }, { "category": "Payload delivery", "comment": "FleerCivet 2017-01-16", "deleted": false, "disable_correlation": false, "timestamp": "1485467357", "to_ids": true, "type": "sha256", "uuid": "588a6edd-0234-472b-b99e-215902de0b81", "value": "9190c865c214cf2b1c602edcfe4ab8858806298ca4b6de16bfbd0377385ffe63" }, { "category": "Payload delivery", "comment": "FleerCivet 2017-01-17", "deleted": false, "disable_correlation": false, "timestamp": "1485467357", "to_ids": true, "type": "sha256", "uuid": "588a6edd-d158-4416-98c6-215902de0b81", "value": "ebeaaef3323331e7ea0e47eac6437dcf5548d9fd759943d2e5c1f3d1fb786167" }, { "category": "Network activity", "comment": "Some servers (potentially legitimate) receiving Fleercivet generated traffic.", "deleted": false, "disable_correlation": false, "timestamp": "1485467420", "to_ids": false, "type": "domain", "uuid": "588a6f1c-3404-4dc5-afc0-6dcc02de0b81", "value": "starrer.com" }, { "category": "Network activity", "comment": "Some servers (potentially legitimate) receiving Fleercivet generated traffic.", "deleted": false, "disable_correlation": false, "timestamp": "1485467421", "to_ids": false, "type": "ip-dst", "uuid": "588a6f1d-ccfc-4512-aa8a-6dcc02de0b81", "value": "209.126.118.146" }, { "category": "Network activity", "comment": "Some servers (potentially legitimate) receiving Fleercivet generated traffic.", "deleted": false, "disable_correlation": false, "timestamp": "1485467422", "to_ids": false, "type": "domain", "uuid": "588a6f1e-0260-4424-b74c-6dcc02de0b81", "value": "askcom.me" }, { "category": "Network activity", "comment": "Some servers (potentially legitimate) receiving Fleercivet generated traffic.", "deleted": false, "disable_correlation": false, "timestamp": "1485467423", "to_ids": false, "type": "ip-dst", "uuid": "588a6f1f-b9e0-4c96-9721-6dcc02de0b81", "value": "209.126.123.39" }, { "category": "Network activity", "comment": "Some servers (potentially legitimate) receiving Fleercivet generated traffic.", "deleted": false, "disable_correlation": false, "timestamp": "1485467424", "to_ids": false, "type": "domain", "uuid": "588a6f20-1df4-4b3b-90a8-6dcc02de0b81", "value": "twittertravels.com" }, { "category": "Network activity", "comment": "Some servers (potentially legitimate) receiving Fleercivet generated traffic.", "deleted": false, "disable_correlation": false, "timestamp": "1485467424", "to_ids": false, "type": "ip-dst", "uuid": "588a6f20-1810-4702-a053-6dcc02de0b81", "value": "173.224.124.110" }, { "category": "Network activity", "comment": "Some servers (potentially legitimate) receiving Fleercivet generated traffic.", "deleted": false, "disable_correlation": false, "timestamp": "1485467425", "to_ids": false, "type": "domain", "uuid": "588a6f21-37d4-481d-b427-6dcc02de0b81", "value": "shareyourfashion.net" }, { "category": "Network activity", "comment": "Some servers (potentially legitimate) receiving Fleercivet generated traffic.", "deleted": false, "disable_correlation": false, "timestamp": "1485467426", "to_ids": false, "type": "ip-dst", "uuid": "588a6f22-11d0-4190-ae0a-6dcc02de0b81", "value": "209.126.103.104" }, { "category": "Network activity", "comment": "Some servers (potentially legitimate) receiving Fleercivet generated traffic.", "deleted": false, "disable_correlation": false, "timestamp": "1485467427", "to_ids": false, "type": "domain", "uuid": "588a6f23-4e18-48b4-abd1-6dcc02de0b81", "value": "techgnews.com" }, { "category": "Network activity", "comment": "Some servers (potentially legitimate) receiving Fleercivet generated traffic.", "deleted": false, "disable_correlation": false, "timestamp": "1485467427", "to_ids": false, "type": "ip-dst", "uuid": "588a6f23-05c4-4c29-a4b4-6dcc02de0b81", "value": "209.239.115.50" }, { "category": "Network activity", "comment": "Exemple of EITest compromised Website acting as download server (POST request with MZ as reply)", "deleted": false, "disable_correlation": false, "timestamp": "1485467550", "to_ids": true, "type": "url", "uuid": "588a6f39-4c88-464d-8774-471002de0b81", "value": "kyle.dark7.org/download.php", "Tag": [ { "colour": "#2d0048", "local": false, "name": "adversary:infrastructure-status=\"compromised\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Exemple of EITest compromised Website acting as download server (POST request with MZ as reply)", "deleted": false, "disable_correlation": false, "timestamp": "1485467561", "to_ids": true, "type": "url", "uuid": "588a6f3a-a320-4e32-9621-46c102de0b81", "value": "oblubienica.odnowa.org/download.php", "Tag": [ { "colour": "#2d0048", "local": false, "name": "adversary:infrastructure-status=\"compromised\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Exemple of EITest compromised Website acting as download server (POST request with MZ as reply)", "deleted": false, "disable_correlation": false, "timestamp": "1485467580", "to_ids": true, "type": "url", "uuid": "588a6f3b-45c4-40ae-b38e-428502de0b81", "value": "sriswamidikshananda.org/download.php", "Tag": [ { "colour": "#2d0048", "local": false, "name": "adversary:infrastructure-status=\"compromised\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Exemple of EITest compromised Website acting as download server (POST request with MZ as reply)", "deleted": false, "disable_correlation": false, "timestamp": "1485467593", "to_ids": true, "type": "url", "uuid": "588a6f3b-7134-464a-861f-450902de0b81", "value": "demo.signgo.com/help.php", "Tag": [ { "colour": "#2d0048", "local": false, "name": "adversary:infrastructure-status=\"compromised\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Exemple of EITest compromised Website acting as download server (POST request with MZ as reply)", "deleted": false, "disable_correlation": false, "timestamp": "1485467603", "to_ids": true, "type": "url", "uuid": "588a6f3c-9764-4977-8e02-456f02de0b81", "value": "retail.uvapoint.com/help.php", "Tag": [ { "colour": "#2d0048", "local": false, "name": "adversary:infrastructure-status=\"compromised\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Exemple of EITest compromised Website acting as download server (POST request with MZ as reply)", "deleted": false, "disable_correlation": false, "timestamp": "1485467617", "to_ids": true, "type": "url", "uuid": "588a6f3d-8528-42b0-9af6-450802de0b81", "value": "chovek5.lozenetz.org/download.php", "Tag": [ { "colour": "#2d0048", "local": false, "name": "adversary:infrastructure-status=\"compromised\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "FleerCivet 2017-01-17 - Xchecked via VT: ebeaaef3323331e7ea0e47eac6437dcf5548d9fd759943d2e5c1f3d1fb786167", "deleted": false, "disable_correlation": false, "timestamp": "1485467665", "to_ids": true, "type": "sha1", "uuid": "588a7011-c36c-48ed-9abc-40e502de0b81", "value": "35c7f51fcf445ac0a2be0dfc81ec653e3eec6068" }, { "category": "Payload delivery", "comment": "FleerCivet 2017-01-17 - Xchecked via VT: ebeaaef3323331e7ea0e47eac6437dcf5548d9fd759943d2e5c1f3d1fb786167", "deleted": false, "disable_correlation": false, "timestamp": "1485467665", "to_ids": true, "type": "md5", "uuid": "588a7011-31fc-4d7b-a442-473702de0b81", "value": "62cfd5f9a600809c9e53ea089920d988" }, { "category": "External analysis", "comment": "FleerCivet 2017-01-17 - Xchecked via VT: ebeaaef3323331e7ea0e47eac6437dcf5548d9fd759943d2e5c1f3d1fb786167", "deleted": false, "disable_correlation": false, "timestamp": "1485467666", "to_ids": false, "type": "link", "uuid": "588a7012-f1e8-4f25-a7c8-455602de0b81", "value": "https://www.virustotal.com/file/ebeaaef3323331e7ea0e47eac6437dcf5548d9fd759943d2e5c1f3d1fb786167/analysis/1484834402/" }, { "category": "Payload delivery", "comment": "FleerCivet 2017-01-16 - Xchecked via VT: 9190c865c214cf2b1c602edcfe4ab8858806298ca4b6de16bfbd0377385ffe63", "deleted": false, "disable_correlation": false, "timestamp": "1485467667", "to_ids": true, "type": "sha1", "uuid": "588a7013-f6b4-487c-a1ae-4fc602de0b81", "value": "0779fa9caa48b4fd978bf732f8450668eea13f39" }, { "category": "Payload delivery", "comment": "FleerCivet 2017-01-16 - Xchecked via VT: 9190c865c214cf2b1c602edcfe4ab8858806298ca4b6de16bfbd0377385ffe63", "deleted": false, "disable_correlation": false, "timestamp": "1485467667", "to_ids": true, "type": "md5", "uuid": "588a7013-e0d0-431e-ace0-4fc002de0b81", "value": "7b9aae9a506fc9e19cc127b5c74bfba1" }, { "category": "External analysis", "comment": "FleerCivet 2017-01-16 - Xchecked via VT: 9190c865c214cf2b1c602edcfe4ab8858806298ca4b6de16bfbd0377385ffe63", "deleted": false, "disable_correlation": false, "timestamp": "1485467668", "to_ids": false, "type": "link", "uuid": "588a7014-6648-4d5b-ae8e-4b7b02de0b81", "value": "https://www.virustotal.com/file/9190c865c214cf2b1c602edcfe4ab8858806298ca4b6de16bfbd0377385ffe63/analysis/1484886904/" }, { "category": "Payload delivery", "comment": "FleerCivet 2017-01-15 - Xchecked via VT: 7bb7848270e76aa1fcb9d11acb46c8421b86c7d528c108d8f179ec829ff977fc", "deleted": false, "disable_correlation": false, "timestamp": "1485467669", "to_ids": true, "type": "sha1", "uuid": "588a7015-72d4-4d87-b1f3-4c9b02de0b81", "value": "5a95dc982879b78fc44ca6e3d473aab2eafa5012" }, { "category": "Payload delivery", "comment": "FleerCivet 2017-01-15 - Xchecked via VT: 7bb7848270e76aa1fcb9d11acb46c8421b86c7d528c108d8f179ec829ff977fc", "deleted": false, "disable_correlation": false, "timestamp": "1485467670", "to_ids": true, "type": "md5", "uuid": "588a7016-1130-4783-8732-421502de0b81", "value": "f9e1f0083e0e42833c5dfa7faa4a0281" }, { "category": "External analysis", "comment": "FleerCivet 2017-01-15 - Xchecked via VT: 7bb7848270e76aa1fcb9d11acb46c8421b86c7d528c108d8f179ec829ff977fc", "deleted": false, "disable_correlation": false, "timestamp": "1485467670", "to_ids": false, "type": "link", "uuid": "588a7016-1bdc-4229-a0fa-414c02de0b81", "value": "https://www.virustotal.com/file/7bb7848270e76aa1fcb9d11acb46c8421b86c7d528c108d8f179ec829ff977fc/analysis/1484541299/" }, { "category": "Payload delivery", "comment": "FleerCivet 2017-01-15 - Xchecked via VT: 7fc9721cc648de138a61ec3452d63a83fc76ef527d41f4a7aba78f52df13338a", "deleted": false, "disable_correlation": false, "timestamp": "1485467671", "to_ids": true, "type": "sha1", "uuid": "588a7017-ae5c-4778-8d55-422702de0b81", "value": "a13b63b53ffd8bf90665f6109b7f6294f6219dd7" }, { "category": "Payload delivery", "comment": "FleerCivet 2017-01-15 - Xchecked via VT: 7fc9721cc648de138a61ec3452d63a83fc76ef527d41f4a7aba78f52df13338a", "deleted": false, "disable_correlation": false, "timestamp": "1485467672", "to_ids": true, "type": "md5", "uuid": "588a7018-94e0-438b-bf8f-4b3d02de0b81", "value": "b9ec73f2406d87f69a6c8dfc46ed3a28" }, { "category": "External analysis", "comment": "FleerCivet 2017-01-15 - Xchecked via VT: 7fc9721cc648de138a61ec3452d63a83fc76ef527d41f4a7aba78f52df13338a", "deleted": false, "disable_correlation": false, "timestamp": "1485467672", "to_ids": false, "type": "link", "uuid": "588a7018-60ec-4202-a54f-4a9e02de0b81", "value": "https://www.virustotal.com/file/7fc9721cc648de138a61ec3452d63a83fc76ef527d41f4a7aba78f52df13338a/analysis/1485239703/" }, { "category": "Payload delivery", "comment": "Fiddler capture (index and post) - Xchecked via VT: 7a444891c642ec17459471be40bcc1ea9eef6aeb478318a679908f94bf1e7e74", "deleted": false, "disable_correlation": false, "timestamp": "1485467673", "to_ids": true, "type": "sha1", "uuid": "588a7019-96d0-4507-81b2-4fbf02de0b81", "value": "b38e12e5346fb02d41e18574d10fbf96f085a7c0" }, { "category": "Payload delivery", "comment": "Fiddler capture (index and post) - Xchecked via VT: 7a444891c642ec17459471be40bcc1ea9eef6aeb478318a679908f94bf1e7e74", "deleted": false, "disable_correlation": false, "timestamp": "1485467674", "to_ids": true, "type": "md5", "uuid": "588a701a-9664-423c-85d8-435102de0b81", "value": "e8a36364b057d2ca6ea79061188591c0" }, { "category": "External analysis", "comment": "Fiddler capture (index and post) - Xchecked via VT: 7a444891c642ec17459471be40bcc1ea9eef6aeb478318a679908f94bf1e7e74", "deleted": false, "disable_correlation": false, "timestamp": "1485467674", "to_ids": false, "type": "link", "uuid": "588a701a-9ff8-4e32-bea2-4bdf02de0b81", "value": "https://www.virustotal.com/file/7a444891c642ec17459471be40bcc1ea9eef6aeb478318a679908f94bf1e7e74/analysis/1484822761/" } ] } }