220.127.116.11 – EITest Gate
The following traffic was found on one of our customers networks:
Just by looking at these requests I could tell one was a gate and the other an EK. However, I didn’t know the referer for the redirect as we don’t always get packets.
After searching surrounding HTTP traffic I noticed a lot of URLs containing “Solid” and “Works”. I narrowed down my search to a couple suspicious domains and began looking through the HTML code. I eventually found the site responsible for the redirect:
Below is the injected script from 2/11/16:
Making a request to the site caused the following Sguil alerts:
Following the TCP stream I could see a request for the flash redirector:
Submitting the file to VirusTotal shows it has pretty good detection with a ratio of 12/54 for Trojan:SWF/EITest.A.
My VM wasn’t redirected to a EK landing page this time but here you can see the script on the gate:
Some other things to note are that 3 other host redirected to the EITest gate from the following URIs on the same day:
Lastly, doing a query of DNS records for the gate shows how active these threat actors have been in recent weeks: