EITest: Sinkholing the oldest infection chain

Share with your network!

Overview

“EITest” is a well-documented infection chain that relies on compromised websites to direct users to exploit kit (EK) landing pages, social engineering schemes, and more. EITest is likely one of the oldest of its kind and has been involved in the delivery of a variety of ransomware, information stealers, and other malware, with clear evidence of its use dating back to 2011. Recently, however, Proofpoint researchers, in collaboration with researchers from brillantit.com and abuse.ch, sinkholed EITest, rendering the infection chain ineffective and preventing as many as two million potential malicious redirects a day.

History

As we wrote in January 2017 [1], shortly after EITest started to use social engineering schemes, researchers traced the chain via server side artifacts and some historical analysis of server side compromises to infections as early as 2011 when it was redirecting to a private EK known as Glazunov. The infection chain appears to have paused between the end of 2013 and the beginning of July 2014, when it began directing into Angler (Figure 1).

Selection of documented events tied to EITest before and after their pause

Figure 1: A selection of documented events tied to EITest before and after their pause in the first half of 2014

Looking at the history in Figure 1, we observed that the actor was spreading the Zaccess Trojan as an affiliate member, most likely for the actor’s own purposes using the Glazunov EK. Glazunov was a private EK used only by the EITest operators. It was a cousin of Kore/Sibhost EK, which in turn was exclusively used by the Urausy group [2] Examining the creation dates of EITest command and control (C&C) domains, it appears that the actor started to rework infrastructure around November 2013.

EITest C&C domain creation dates

Figure 2: EITest C&C domain creation dates

In July 2014, the chain reappeared with a new infection pattern spreading multiple payloads. This sort of downstream activity is generally associated with two possible scenarios:

  • The actor is selling loads (infections) or
  • The actor is selling traffic (to other actors, a load seller, or both)

The patterns shown in Figure 3 suggested that the actor behind EITest was selling traffic.

Two weeks of documented events tied to EITest

Figure 3: Two weeks of documented events tied to EITest suggesting that the actor was reselling traffic based on the diversity of EKs and payloads.

Based on EITest actor activity on underground forums and insights from Empire EK (see Appendix), we confirmed that the actor was selling traffic. In 2014, we found that the actor was selling traffic in blocks of 50-70,000 visitors for US$20 per thousand, generating between $1,000 and $1,400 per block of traffic.

As shown in Figure 4, in the past month the activity behind this infection chain has primarily consisted of social engineering [1] and tech support scams [3] leading to ransomware.

Selection of documented events showing EITest activity evolution

Figure 4: A selection of documented events showing the evolution of the activity behind EITest in the past year.

Sinkholing operation:

On March 15, 2018, working with abuse.ch [5] and @Secu0133 [6], we were able to fully sinkhole the EITest operation.

As @secu0133 explained in his analysis of an EITest php script [7], the C&C domains were generated from the resolution of a key domain “stat-dns[.]com”. Once seized, we pointed that domain to a new IP address to generate four new EITest C&C domains. These, in turn, were pointed to an abuse.ch sinkhole.

EITest infrastructure and satellite

Figure 5: The EITest infrastructure and satellite in January 2017

As a result of generating those new domains, we were able to substitute the malicious server with a sinkhole. We are now receiving the traffic from the backdoors on the compromised websites, freeing them from the EITest C&Cs and their visitors from the resulting malicious traffic and injects.

Figure 6: The red box highlights the server we substituted with a sinkhole and the connection to the EITest C&C that was closed by the sinkhole operation.

Analysis of the sinkhole:

We analyzed data from the sinkhole operation from March 15 to April 4, 2018. During that period, the sinkhole received almost 44 million requests from roughly 52,000 servers. Decoding the requests we were able to obtain a list of compromised domains as well as IP addresses and user agents of the users who had browsed to the compromised servers.

Of the compromised websites, we observed multiple content management systems, but the vast majority appeared to be using WordPress.

Figure 7 shows the geographic distribution of the 52,000 compromised servers used by EITest.

Worldwide distribution of compromised servers in EITest

Figure 7: Worldwide distribution of the compromised servers in EITest

Figure 8 shows the worldwide distribution of browsing events -- the geographic location of would-be victims -- that triggered connections from compromised servers to the sinkhole; had the sinkhole not been in place, these events would have triggered a connection to an EITest C&C. The top ten countries by number of triggered connections appear in Figure 9.

Geographic distribution of browsing events

Figure 8: Geographic distribution of the browsing events that triggered connections from the compromised servers to the sinkhole

Top ten countries accessing EITest-compromised websites

Figure 9: Top ten countries accessing EITest-compromised websites and the associated number of connections to the sinkhole between March 15 to April 4, 2018

Conclusion

EITest is one of the oldest and largest infection chains, which, early in its operation, primarily distributed malware via a private exploit kit. In more recent years, the operators of EITest became prolific sellers of traffic to EK operators and social engineering schemes through their large network of compromised web servers. Sinkholing this infection chain disrupted over two million potential malicious redirects per day with significant implications for downstream buyers of EITest traffic.

Following the successful sinkhole operation, the actor shut down their C&C proxies, but we have not observed further overt reactions by the operators of EITest. Although we witnessed some encoded calls to the sinkhole that embedded commands we would associate with takeover attempts, we cannot verify whether they were initiated by the operator or other researchers or threat actors attempting to interact with the real EITest C&C. However, we will continue to monitor EITest activity as the  EITest actor may attempt to regain control of a portion of the compromised websites involved in the infection chain.

We are sharing the complete list of compromised websites with national CERTs and cleanup efforts are ongoing.

Acknowledgment

We would like to thank abuse.ch and @Secu0133 for their assistance in the sinkhole operation and data collection.

References

[1] https://www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme

[2] https://malware.dontneedcoffee.com/2013/05/the-missing-link-some-lights-on-urausy.html

[3] https://malware.dontneedcoffee.com/hosted/anonymous/kotd.html

[4] https://blog.malwarebytes.org/exploits-2/2014/10/exposing-the-flash-eitest-malware-campaign/

[5] https://abuse.ch/

[6] https://twitter.com/Secu0133

[7] https://blog.brillantit.com/exposing-eitest-campaign/

Indicators of Compromise (IOCs)

IOC

IOC Type

Description

54dfa1cb[.]com|31.184.192.163

domain|ip

EITest C&C (before sinkholing)

e5b57288[.]com|31.184.192.173

domain|ip

EITest C&C (before sinkholing)

33db9538[.]com|31.184.192.173

domain|ip

EITest C&C (before sinkholing)

9507c4e8[.]com|31.184.192.163

domain|ip

EITest C&C (before sinkholing)

04d92810[.]com

domain

EITest Sinkhole

c84c8098[.]com

domain

EITest Sinkhole

e42d078d[.]com

domain

EITest Sinkhole

498296c9[.]com

domain

EITest Sinkhole

stat-dns[.com 

domain

Seized domain controlling the DGA

Appendix

Advertisement that we attributed to the EITest operator - July 22, 2014

Продам mix ie iframe траф

Ищу человека, готового выкупить поток фильтрованного от ботов ie mix трафа.

Траф с лома, без ру и снг, примено 50-70к в сутки.

Хочу 20$ за 1к трафа или по предложению 8)

jabber 337373733@wtfismyip.com

 

Translation:

Selling mix ie iframe traffic

I am looking for a person who is ready to buy a stream of filtered IE mixed traffic (from bots).

Traffic is from hacked, without RU and C.I.S countries, approximately 50-70k per day.

I want $20 for 1k of traffic or your proposal

jabber 337373733@wtfismyip.com

 

Analysis from Empire EK data

Statistics for one of two EITest threads in Empire EK

Figure: Statistics for one of the two EITest threads in Empire EK (whose operator was acting as as both a traffic buyer and load seller) in October 2016.