An Update On The EITest/Angler EK Campaign

An Update On The EITest/Angler EK Campaign

We have been tracking this particular malware campaign that leverages compromised websites for well over a year. What made it stand out from other attack methods is its use of a Flash file in the redirection process to the Angler exploit kit.

Angler EK has various sources of traffic leads ranging from malvertising and compromised websites. While not as popular, the EITest campaign has been steady for a long time.

Today, while doing a routine review of exploit kits we came across some changes in the EITest URL patterns and Flash file. We show those differences below.

Overview:

Fiddler

Compromised site (foz.ifpr.edu.br):

injection

Flash file (twoldes.tk):

class2

Redirection to Angler (twoldes.tk):

redir_Angler

IOCs:

Flash file (twoldes.tk)877f1f827f592baf1d13fd9d629cb279

Related posts:

ABOUT THE AUTHOR

Jérôme Segura

Principal Threat Researcher