Threat Management, Malware, Ransomware

ElTest malware campaign changes tactics, scraps use of gates and obfuscation

Share

The long-lived ElTest malware campaign that infects victims through compromised websites evolved once again in the last quarter of 2016, ending its use of exploit kit gates and obfuscation, according to researchers with Palo Alto Networks' Unit 42 threat research team.

In a blog post Thursday, Palo Alto reported that a recent analysis of ElTest revealed that the malicious script it uses to sabotage legitimate websites now sends victims directly to an exploit kit landing page, rather than first routing the person through a gate, as it had prior to Oct. 3, 2016. Typically, websites that deliver EKs use gates to examine incoming traffic and determine what actions to take.

Palo Alto noted that ElTest's change in tactics may have been triggered by the enterprise and network security company's previous Oct. 3 blog post examining the campaign.

By Oct. 15, ElTest also stopped obfuscating the URL for the EK landing page that is embedded within its malicious script, the blog post continues.

ElTest uses various versions of the Rig Exploit Kit to disperse its malware, typically serving up information stealers like Gootkit and the Chthonic banking Trojan, but occasionally distributing other types of programs including Cerber or CryptoMix ransomware.

“Perhaps the most interesting thing about EITest is its longevity,” reads the blog post, written by Unit 42 threat intelligence analyst Brad Duncan. “People have been tracking this campaign since 2014, and its longevity suggests that despite the shifting EK landscape, EKs remain a profitable venture for the criminals involved.

ElTest malware campaign changes tactics, scraps use of gates and obfuscation

The long-lived ElTest malware campaign that infects victims through compromised websites evolved once again in the last quarter of 2016, ending its use of exploit kit gates and obfuscation, according to researchers with Palo Alto Networks' Unit 42 threat research team.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.