The long-lived ElTest malware campaign that infects victims through compromised websites evolved once again in the last quarter of 2016, ending its use of exploit kit gates and obfuscation, according to researchers with Palo Alto Networks’ Unit 42 threat research team.
In a blog post Thursday, Palo Alto reported that a recent analysis of ElTest revealed that the malicious script it uses to sabotage legitimate websites now sends victims directly to an exploit kit landing page, rather than first routing the person through a gate, as it had prior to Oct. 3, 2016. Typically, websites that deliver EKs use gates to examine incoming traffic and determine what actions to take.
Palo Alto noted that ElTest’s change in tactics may have been triggered by the enterprise and network security company’s previous Oct. 3 blog post examining the campaign.
By Oct. 15, ElTest also stopped obfuscating the URL for the EK landing page that is embedded within its malicious script, the blog post continues.
ElTest uses various versions of the Rig Exploit Kit to disperse its malware, typically serving up information stealers like Gootkit and the Chthonic banking Trojan, but occasionally distributing other types of programs including Cerber or CryptoMix ransomware.
“Perhaps the most interesting thing about EITest is its longevity,” reads the blog post, written by Unit 42 threat intelligence analyst Brad Duncan. “People have been tracking this campaign since 2014, and its longevity suggests that despite the shifting EK landscape, EKs remain a profitable venture for the criminals involved.