EITest Gate at 85.93.0.32 Leads to Angler EK at 83.220.169.231

I found these GET requests in our customers traffic:

zeboms[.]tk/show_content.php?fgpimk=lrsuk&id=4642B3AD8EB1331F63B111F171C670700DA304E3EFF16822032449944AB075E487805D

one.theleadersummit[.]com/boards/viewtopic.php?t=0i3&f=o5aew38bpq8ca58engnpikp4ucvwuef5z9ej1ctm014keykgo-q773pf_ahi58p76yvzpoffylkdqe_-8k4eih0j03n2t-i1y

Unfortunately for our analyst we don’t always get packets so we can’t easily locate the referer in every case. Typically the GET request for the compromised site is in the traffic surrounding the event. As you can see from the HTTP requests surrounding the events the user was searching for plastic surgeons in Scottsdale Arizona:

scottsdaleps[.]com/
azplasticsurgerycenter[.]com/
yellowpages[.]com/scottsdale-az/plastic-surgeons
desertplasticsurgery[.]com/
innovativecosmeticsurgery[.]com/
admireplasticsurgery[.]com/
marcmalekmd[.]com/
rejuvent[.]com/
markmeyersmd[.]com/

After going through each page I found the compromised site to be:

scottsdaleps[.]com/

Here is the injected script:

Here is the HTTP traffic:

TCP stream showing call for the Flash file (redirector):

This is used to redirect visitors to the Angler EK.

According to VirusTotal the .swf file has a current detection ratio of 5/54.

Gate showing JavaScript (window.self.location.replace) loads EK landing page:

HTTP request for the Angler EK landing page:

While this led to the Angler EK I haven’t yet had any success in getting my test environment infected. I will be switching my version of Flash Player for more runs at the EITest gate in the near future.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: