Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Researchers Sinkhole Deep-Rooted “EITest” Infection Chain

Proofpoint on Thursday said that it has managed to sinkhole what could be the oldest “infection chain” out there, which redirected users to exploit kits (EKs), social engineering schemes, and other malicious or fraudulent operations.

Proofpoint on Thursday said that it has managed to sinkhole what could be the oldest “infection chain” out there, which redirected users to exploit kits (EKs), social engineering schemes, and other malicious or fraudulent operations.

Dubbed EITest and supposedly active since 2011, the infection chain has been associated with the distribution of ransomware, information stealers, and other malware. Performing around two million potential malicious redirects a day, the chain has been rendered ineffective after Proofpoint sinkholed it in collaboration with brillantit.com and abuse.ch.

In 2011, the infection chain was redirecting to a private EK known as Glazunov, but switched to Angler in July 2014, after being silent for about half a year. The actor behind EITest started rework on infrastructure around November 2013, the creation dates of command and control (C&C) domains reveal.

When the chain reappeared in July 2014, it was spreading multiple payloads, which suggested that it was either selling loads or traffic. The researchers confirmed the actor was selling traffic, “in blocks of 50-70,000 visitors for US$20 per thousand, generating between $1,000 and $1,400 per block of traffic.”

EITest began using social engineering schemes in January 2017, which over the past several months was primarily concentrated around social engineering and tech support scams leading to ransomware.

Last year, EITest was involved in a malicious campaign targeting Chrome users with fake font update notifications but serving malware instead. Also last year, the infection chain was observed redirecting to the RIG-V EK.

The security researchers managed to fully sinkhole the EITest operation on March 15, 2018.

“The C&C domains were generated from the resolution of a key domain ‘stat-dns[.]com’. Once seized, we pointed that domain to a new IP address to generate four new EITest C&C domains. These, in turn, were pointed to an abuse.ch sinkhole,” Proofpoint security researcher Kafeine explains.

Advertisement. Scroll to continue reading.

By generating the new domains, the security researchers replaced the malicious server with a sinkhole, which allowed them to receive the traffic from the backdoors on the compromised websites. Thus, they could prevent the resulting malicious traffic and injects from reaching users, but the cleanup efforts are ongoing.

From March 15 to April 4, 2018, the sinkhole received nearly 44 million requests from roughly 52,000 servers, which revealed compromised domains and the IP addresses and user agents of the users who browsed to the compromised servers. The complete list of compromised websites was shared with national CERTs.

Most of the compromised websites were using the WordPress content management system, Kafeine reveals. The United States emerged as the top country accessing EITest-compromised websites, followed by Ukraine, Canada, France, and Ireland.

“EITest is one of the oldest and largest infection chains, which, early in its operation, primarily distributed malware via a private exploit kit. In more recent years, the operators of EITest became prolific sellers of traffic to EK operators and social engineering schemes through their large network of compromised web servers,” Kafeine notes.

Following the sinkhole operation, the EITest C&C proxies were shut down, and the actor behind the infection chain apparently went silent. The researchers did observe some encoded calls to the sinkhole that were associated with takeover attempts, but it’s unclear whether they were initiated by the operator or other researchers or threat actors.

Related: U.S. Announces Takedown of Global Cyber Theft Ring

Related: Andromeda Botnet to Die Slow, Painful Death

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.