Jump to content
Nytro

Sneaky Redirect to Exploit Kit

By Nytro, in Tutoriale in engleza

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Sneaky Redirect to Exploit Kit

Posted on January 12, 2014 by darryl

While I was testing a Pinpoint update, I found a sneaky method to redirect unsuspecting users to Neutrino EK. This one was interesting to me so I thought I would document it here.

Here’s the website I visited…looks suspicious already:

2014-01-12_01.png

There was a reference to an external Javascript file:

2014-01-12_02.png

The file is obfuscated Javascript which is a red flag:

2014-01-12_03.png

I found the malicious redirect, or so I thought…

2014-01-12_04.png

Long story short, this led nowhere. Going back to the main page, there is a call to a Flash file at the bottom.

2014-01-12_05.png

Reviewing the ActionScript reveals something interesting. It reads in a PNG file called “gray-bg.png”, extracts every other character, then evals it.

2014-01-12_06.png

The “PNG file is not a graphic file but a renamed text file.

2014-01-12_07.png

I used Converter to extract one character every two positions and got this:

2014-01-12_08.png

The URL leads to the Neutrino landing page.

Sursa: Sneaky Redirect to Exploit Kit | Kahu Security

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...