Update for the EITest Gate

I’ve been following the EITest campaign for a couple months now and I have just recently noticed something different in the traffic. The threat actors are still using compromised sites by injecting them with the same EITest script:

 

The EITest script above causes the host to retrieve a Flash file from EITest gate. However, the response is showing that the server was using chunked encoding rather than content-length. Here is the chunked response:

Side not: chunked encoding was added in HTTP/1.1 and it allows a web server to stream content to clients without knowing ahead of time how large the content is going to be.

For some reason I wasn’t able to find “HTTP/1.1 200 OK (application/x-shockwave-flash)” in the Info column or any Flash files in the objects.

Here is the script for the GET request to the EK.

The other change I noticed was that the HTML containing the JavaScript used to generate the GET request to the EK landing page had some additional obfuscated code:

Also in the HTML code we can see the use of the HTTP meta element and the “http-equiv” attribute. The attribute value is set to “refresh” with the content set to “0”. This causes the browser to immediately refresh and redirect the user.

Also, the script is no longer using “window.self.location.replace” but is instead using “document.location.href”, which is pointing to the same URL as contained in the meta element.

That request redirects the host to the EK landing page. It is at this point the EK performs checks to determine if the host is vulnerable, as well as if they are using certain security products and/or using a VM.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: