{"id":7450,"date":"2017-04-26T06:10:05","date_gmt":"2017-04-26T14:10:05","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/04\/26\/news-1241\/"},"modified":"2017-04-26T06:10:05","modified_gmt":"2017-04-26T14:10:05","slug":"news-1241","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/04\/26\/news-1241\/","title":{"rendered":"Terror EK going ‘pro’? Not quite yet"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Wed, 26 Apr 2017 13:00:46 +0000<\/strong><\/p>\n

Since our last post<\/a> on Terror EK, we haven’t really seen much activity from this exploit kit. However, in recent days it popped back up again with a slightly new format.<\/p>\n

One thing that seemed consistent with Terror EK was the use of a plain IP address in its URL structure:<\/p>\n

\"\"<\/p>\n

Now we are starting to see it using a domain name (with the .pro<\/em> TLD).<\/p>\n

The campaigns<\/h2>\n

We are seeing the usual suspects via\u00a0malvertising from low quality traffic as well as decoy sites. The same\u00a0obfuscation<\/a>\u00a0technique we talked about in our last post can still be found on\u00a0domains registered by\u00a0a Brian Krebs admirer, unlikely to be his son though.<\/p>\n

Traffic overview<\/h2>\n

\"\"<\/a><\/p>\n

EK artifacts<\/h2>\n

Initial landing<\/strong><\/h3>\n

\"\"<\/a><\/p>\n

Flash calls<\/strong><\/h3>\n

\"\"<\/a><\/p>\n

Silverlight calls<\/strong><\/h3>\n

\"\"<\/a><\/p>\n

IE exploits<\/strong><\/h3>\n

\"\"<\/a><\/p>\n

The landing page and associated calls to IE, Flash, and Silverlight exploits are still in plain text. The exploits also appear to be the same old Sundown EK ones.<\/p>\n

The developer of this exploit kit has been experimenting and making\u00a0tweaks for a while now. While there are a few malvertising campaigns leading to Terror EK, the lion share still belongs to\u00a0RIG EK.<\/p>\n

IOCs:<\/h3>\n

Domain name:<\/p>\n

whereareyou.pro<\/pre>\n
IP address:<\/p>\n
178.62.219.246<\/pre>\n
URLs:<\/p>\n
whereareyou.pro\/phRUoB0EEKe0c7hebuFTmeWb\/LtTZ9w1Mje7E.php  whereareyou.pro\/phRUoB0EEKe0c7hebuFTmeWb\/VQa0OExKRPgO\/FHS7JFjfW9Vl.html  whereareyou.pro\/phRUoB0EEKe0c7hebuFTmeWb\/tvUNJV6Uhzvn\/ZNPIoaQXLkkU.html  whereareyou.pro\/phRUoB0EEKe0c7hebuFTmeWb\/6godVZHnf7eO\/7Fpp4MHUZXcE.html  whereareyou.pro\/phRUoB0EEKe0c7hebuFTmeWb\/6godVZHnf7eO\/xtc8UCTRj7u5.html  whereareyou.pro\/phRUoB0EEKe0c7hebuFTmeWb\/6godVZHnf7eO\/9kYZ81evk6u5.html  whereareyou.pro\/phRUoB0EEKe0c7hebuFTmeWb\/VQa0OExKRPgO\/xMxzOxKKP4j3.swf  whereareyou.pro\/phRUoB0EEKe0c7hebuFTmeWb\/tvUNJV6Uhzvn\/RFz1s9kbszgb.xap  whereareyou.pro\/phRUoB0EEKe0c7hebuFTmeWb\/5buZoKiY2Bxl.php<\/pre>\n
Flash exploit:<\/p>\n
c843959ebeb6f72481849cb0f905ae30694b0dc2dbb0d125f32fb9060c15bc04<\/pre>\n
Silverlight exploit:<\/p>\n
9eb1e6bfed606da3ee6b2529915134ecf58ac983316549c9c038a757d07e0aed<\/pre>\n
Payload:<\/p>\n
7b08251eb81e11e6f7d43b5287afa43bed6737766753128c70049b7126763dc6<\/pre>\n
The post Terror EK going ‘pro’? Not quite yet<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n
https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Credit to Author: J\u00e9r\u00f4me Segura| Date: Wed, 26 Apr 2017 13:00:46 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
A quick peek into some changes to Terror EK, an underdog exploit kit in development.<\/p>\n
Categories: <\/p>\n