Shining some light on the ‘Unknown’ Exploit Kit

Jack

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
coffee-965x395.png

Every now and again we come across new URL patterns when investigating traffic captures. In some cases, they are variations of existing redirectors or exploit kits which play the cat-and-mouse game with security researchers, other times they are the indication of a new threat.

But what makes something ‘new’, and how can you be sure that it is indeed something truly novel? Unless you have tracked the drive-by / exploit kit scene from day one or been able to map it out down to the tiniest details, this is not something easy.

There are a few reasons for this. For one, the landscape is vast and ever-changing, bringing an overwhelming amount of information that needs to be dissected and categorized.

Secondly, much of what we see is what the bad guys are showing us, which essentially means client-side traffic.

What about the back-end structure, the actual actors in this ecosystem?

Thankfully we do get the chance to look at it thanks to the relentless work of dedicated researchers such as@kafeine. But sometimes, there are still some things that are left unclear or may confuse some of us (including the author of this article).

When a security researcher stumbles upon something he does not recognize, he often calls it ‘unknown’ for the lack of information needed to give it a proper name.

This post will dig into such a case that has been floating around for some time now and may finally get a chance to have enough exposure to be categorized.

The ‘Unknown’ Exploit Kit
A couple of weeks ago, we observed a new traffic pattern (new to us) that first caught our attention for a couple of reasons:

  • The payload’s size did not match that of any URL from the capture
  • The URL patterns were new
Before diving into the exploit kit itself, let’s first take a look at how we got there.

Redirection chain
Raw traffic:




Read more: https://blog.malwarebytes.org/exploits-2/2014/08/shining-some-light-on-the-unknown-exploit-kit/
 
  • Like
Reactions: Rahadian Putra

Cats-4_Owners-2

Level 39
Verified
Honorary Member
Top Poster
Well-known
Dec 4, 2013
2,800
Thanks for the article, Jack.:) It's seeped in mystery, brings rise to more questions, and is even motivation to keep Flash updated for vulnerabilities;) while approachingo_O (or disabling) Java with careful:oops: caution.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top