Its one of the oldest & largest infection chains, that performed a variety of dangerous infection by distributing ransomware, information stealers, and other malware.
Recent Years EITest is one of the main sellers of malicious traffic to Exploit Kit (EK) operators and social engineering operations via compromised websites.
EITest Infection History with Exploit Kit
Initially, during the period of 2017 researchers identified that it started using a variety of social engineering tactics and it was redirecting to a private EK known as Glazunov during 2013 and also its stared infecting rework infrastructure in the same year.
Later it directed into Angler Exploit Kit(EK) and the threat actors main motivation to spreading Zaccess Trojan and Glazunov was a private Exploit Kit(EK) used only by the EITest operators.
its reemerged again in 2014 with new infection pattern and started infecting with a new payload with 2 different categories
- The actor is selling loads (infections) or
- The actor is selling traffic (to other actors, a load seller, or both)
Accorinding to the Research that conducted by Proofpoint along with brillantit.com and abuse.ch, Based on EITest actor activity on underground forums and insights from Empire Exploit Kit(EK) we confirmed that the actor was selling traffic. In 2014, we found that the actor was selling traffic in blocks of 50-70,000 visitors for US$20 per thousand, generating between $1,000 and $1,400 per block of traffic.
Malicious Servers take down by Sinkholing operation
Researchers create a new domain and Sinkholing (redirection of traffic from its original destination) the EITest operation that has been pointed to a new IP address.
By generating those new domains, researchers were able to substitute the malicious server with a sinkhole in order to receive the traffic from the backdoors on the compromised websites.
Later they freeing them from the EITest C&Cs and their visitors from the resulting malicious traffic and injects.
Researchers analyzing the traffic using this Sinkholing operation and observe that sinkhole received almost 44 million requests from roughly 52,000 servers between March 15 to April 4, 2018.
Aslo they decoding the malicious request and find the list of compromised domains as well as IP addresses and user agents of the users who had browsed to the compromised servers.
Those compromised websites are multiple content management systems and WordPress websites are the most infected websites.
Indicators of Compromise (IOCs)
|54dfa1cb[.]com|18.104.22.168||domain|ip||EITest C&C (before sinkholing)|
|e5b57288[.]com|22.214.171.124||domain|ip||EITest C&C (before sinkholing)|
|33db9538[.]com|126.96.36.199||domain|ip||EITest C&C (before sinkholing)|
|9507c4e8[.]com|188.8.131.52||domain|ip||EITest C&C (before sinkholing)|
|stat-dns[.com||domain||Seized domain controlling the DGA|