Persistent EITest Malware Campaign Jumps from Angler to Neutrino

A two-year-old EITest malware campaign is still going strong, fueled by the fact it has shifted its distribution technique over time. Now, researchers at the SANS Institute’s Internet Storm Center, are reporting EITest is morphing again based on analysis of the malware campaign conducted earlier this month.

According to researcher Brad Duncan, the EITest malware campaign is being refueled by the fact it is shifting from the Angler exploit kit to the Neutrino exploit kit.

“During its run, I had only noticed the EITest campaign use Angler EK to distribute a variety of malware payloads. That changed earlier this month, when I noticed an EITest gate leading to Neutrino EK instead of Angler,” Duncan wrote in an Internet Storm Center post.

First identified in July of 2014 by Malwarebytes, EITest is known for leveraging thousands of legitimate websites that have been hacked and used in tandem with a Flash-based redirection script to deliver payloads such as the Gootkit Trojan information stealer.

In the case of EITest, attackers were booby trapping legitimate sites with drive-by downloads unbeknownst to their owners by using rotating URLs as the exploit kit’s landing page. The perpetrators did this by inserting a Flash application code at the bottom of an infected site’s main page to direct traffic to a malicious landing page. To avoid URL blacklisting, attackers used free DNS services to register disposable subdomains to create a large pool of URLs that can be used once and then trashed.

Duncan now says the EITest campaigns is now using 85.93.0.0/24 for a gate between the compromised website and the Neutrino EK. “The TLD for these gate domains has most often been .tk but we’ve seen .co.uk domains used this week,” he wrote.

As for the payload, in two instances Duncan reports he was running Adobe Flash Player 20.0.0.306, which is vulnerable to CVE-2016-1019, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code.

Palo Alto Networks has also been tracking the progress of the stubborn EITest malware campaign. In March, researchers noticed that the EITest gate occasionally changes IP addresses, but consistently used the TLDs .tk, .uk and .com.

“The EITest gate URL continues to return a Flash file that redirects traffic to Angler EK. This gate URL always generates two HTTP GET requests. The first request retrieves the Flash file and the second request returns script pointing to an Angler EK landing page,” wrote Palo Alto in March.

Now SANS Institute’s Internet Storm Center says the indicators of compromise on its test systems include the EITest gate 85.93.0.33 port 80 (true.imwright.co.uk) and 104.238.185.187 port 80 (ndczaqefc.anein.top) for the Neutrino EK with the payload Gootkit information stealer.

Duncan observed a second infection chain from the EITest campaign used the Angler ET with the following the indicators of compromise; 85.93.0.33 port 80 – true.imwright.co.uk – EITest gate, 185.117.75.219 port 80 – kmgb0.yle6to.top – Angler EK, and delivering an undetermined payload.