A persistent EITest malware campaign keep getting stronger, prompted by the fact that it has shifted its distribution technique over time.
Based on the analysis of the malware campaign conducted earlier this month, researchers at the SANS Institute’s Internet Storm Center, stated that EITest is rising up again.
The researcher Brad Duncan claims that the EITest malware campaign is being refueled by the fact it is shifting from the Angler exploit kit to the Neutrino exploit kit.
“During its run, I had only noticed the EITest campaign use Angler EK to distribute a variety of malware payloads. That changed earlier this month, when I noticed an EITest gate leading to Neutrino EK instead of Angler,” Duncan wrote.
EITest, which was first noticed in July of 2014, is known for leveraging thousands of legitimate websites that have been hacked and used in tandem with a Flash-based redirection script to deliver payloads such as the Gootkit Trojan information stealer.
When it comes to EITest, cyber criminals were booby trapping legitimate websites with drive-by downloads unbeknownst to their owners by using rotating URLs as the exploit kit’s landing page. The attackers did this by inserting a Flash application code at the bottom of an infected site’s main page to direct traffic to a malicious landing page. To avoid URL blacklisting, hackers used free DNS services to register disposable subdomains to create a large pool of URLs that can be used once and then trashed.
According to Duncan, the EITest campaigns is currently using 220.127.116.11/24 for a gate between the compromised website and the Neutrino EK.
“The TLD for these gate domains has most often been .tk but we’ve seen .co.uk domains used this week,” Duncan said.
Regarding the payload, in two instances Duncan says that he was running Adobe Flash Player 18.104.22.1686, which is vulnerable to CVE-2016-1019, which lets remote hackers cause a denial of service or possibly execute arbitrary code.
The progress of the stubborn EITest malware campaign has also been tracked by Palo Alto Networks. A couple of months ago, the experts noticed that the EITest gate occasionally changes IP addresses, but consistently used the TLDs .tk, .uk and .com.
“The EITest gate URL continues to return a Flash file that redirects traffic to Angler EK. This gate URL always generates two HTTP GET requests. The first request retrieves the Flash file and the second request returns script pointing to an Angler EK landing page,” Palo Alto stated.
According to SANS Institute’s Internet Storm Center, the indicators of compromise on its test systems include the EITest gate 22.214.171.124 port 80 (true.imwright.co.uk) and 126.96.36.199 port 80 (ndczaqefc.anein.top) for the Neutrino EK with the payload Gootkit information stealer.