TRAFFIC. Shown above: Example of injected script from the EITest campaign in a page from the compromised site on 2017-02-06. Shown above: Pcap of the infection traffic from 2017-02-01 filtered in Wireshark. Shown above: Pcap of the infection traffic from 2017-02-02 filtered in Wireshark.
Article Link: http://www.malware-traffic-analysis.net/2017/02/06/index.html