Tuesday, 18 June 2013

FlimKit: URL pattern change - June 2013

The first occurrence of the change has been spotted on 2013-06-12. Thanks to @Set_Abominae and @node5 for the tips.

NOTE: Information is based on a sample seen on 2013-06-17

The following pattern has been seen:

  • new landing page expression - 'akulatori'
  • introduction of JNLP file
  • file extension for Java exploit changed from ZIP to JAR
  • no POST request for the Initial Payload
  • Initial Payload is stored XORed in the JAR file
 Post-infection network activities:
  • GET request to '' for what seems to be encoded configuration/data file

Related links:

No comments:

Post a Comment