Ancient EITest infection chain sinkholed by security teams

The chain has been used by criminals for backdoor installation, support scams, and more.
Written by Charlie Osborne, Contributing Writer

Researchers have struck a serious blow against threat actors by sinking the age-old infection chain EITest.

Last week, Proofpoint researchers revealed that EITest has now been sinkholed due to the efforts of the company together with teams from Abuse.ch and BrilliantIIT.

Dating back to 2011, the infection chain has been used to deliver support scams, backdoors, and other payloads including ransomware, information stealers, and more.

EITest is considered one of the oldest infection chains on record and has been called the "King of traffic distribution."

EITest is a collection of compromised servers which can be used to redirect traffic. Countless campaigns have taken advantage of the EITest infrastructure in the past in order to redirect users to exploit kit landing pages and other malicious websites.

The chain was not always considered a major threat. During the system's inception, EITest only redirected users to a homegrown exploit kit called Glazunov. However, the game changed when the chain was restructured in 2013 and then began redirecting victims to the Angler exploit kit.

By 2014, it appeared the creators of EITest were also renting out traffic to other threat actors and delivering multiple payloads to victims.

An investigation revealed that the creator of the infection chain was selling traffic in blocks of 50 -- 70,000 visitors for $20 per thousand visits, which equates to up to $1,400 per traffic block sale.

Last year, EITest was connected to social engineering schemes, including tech support scams such as fake Microsoft updates and malware warnings.

IBM research indicates that in 2017, cyberattackers were turning away from data breaches and other older methods of attacks in favor of ransomware. Supporting this claim in EITest's case is Proofpoint's further investigation into the chain's evolution, which revealed the system began serving up ransomware payloads in the same year.

The infection chain has gone far beyond one single, custom exploit kit to become a menace for security researchers worldwide. As a result, on March 15, the teams launched an operation to sinkhole the system for good.

The command and control (C&C) servers which were key to the infection chain's operations were generated from a key domain called stat-dns.com. This domain was seized and pointed to a new IP address in order to generate new C&C domains.

These domains were pointed to sinkholes controlled by the research teams. When traffic passes through they are now no longer being pointed towards malicious payloads or exploit kits.

The researchers estimate that by sinkholing EITest, as many as two million potentially malicious redirects per day have been stopped.

The sinkhole operation has also provided fresh information on EITest's operations. From March 15 to April 4, the sinkhole received close to 44 million requests from approximately 52,000 servers.

The majority of compromised websites which were serving up traffic were based on the WordPress content management system (CMS), which may suggest these domains were exploited due to poor patch management and out-of-date software.

See also: Critical remote code execution vulnerabilities impact Natus medical devices

Compromised servers connected to EITest were found in countries including the United States, Ukraine, China, and France.

"Following the successful sinkhole operation, the actor shut down their C&C proxies, but we have not observed further overt reactions by the operators of EITest," the researchers say. "We will continue to monitor EITest activity as the EITest actor may attempt to regain control of a portion of the compromised websites involved in the infection chain."

Innovative artificial intelligence, machine learning projects to watch

Previous and related coverage

Editorial standards