Tuesday, 18 June 2013

FlimKit: URL pattern change - June 2013

The first occurrence of the change has been spotted on 2013-06-12. Thanks to @Set_Abominae and @node5 for the tips.

NOTE: Information is based on a sample seen on 2013-06-17

The following pattern has been seen:


Changes:
  • new landing page expression - 'akulatori'
  • introduction of JNLP file
  • file extension for Java exploit changed from ZIP to JAR
  • no POST request for the Initial Payload
  • Initial Payload is stored XORed in the JAR file
 Post-infection network activities:
  • GET request to 'adyduxuzy.pl/qXKFD4Z7dHp5LnNtYWR5ZHVVdXp5LnA=' for what seems to be encoded configuration/data file

Related links:
http://www.malwaresigs.com/2013/05/22/flimkit/

0 comments:

Post a Comment