Terror EK going 'pro'? Not quite yet

Terror EK going ‘pro’? Not quite yet

Since our last post on Terror EK, we haven’t really seen much activity from this exploit kit. However, in recent days it popped back up again with a slightly new format.

One thing that seemed consistent with Terror EK was the use of a plain IP address in its URL structure:

Now we are starting to see it using a domain name (with the .pro TLD).

The campaigns

We are seeing the usual suspects via malvertising from low quality traffic as well as decoy sites. The same obfuscation technique we talked about in our last post can still be found on domains registered by a Brian Krebs admirer, unlikely to be his son though.

Traffic overview

EK artifacts

Initial landing

Flash calls

Silverlight calls

IE exploits

The landing page and associated calls to IE, Flash, and Silverlight exploits are still in plain text. The exploits also appear to be the same old Sundown EK ones.

The developer of this exploit kit has been experimenting and making tweaks for a while now. While there are a few malvertising campaigns leading to Terror EK, the lion share still belongs to RIG EK.

IOCs:

Domain name:

whereareyou.pro

IP address:

178.62.219.246

URLs:

whereareyou.pro/phRUoB0EEKe0c7hebuFTmeWb/LtTZ9w1Mje7E.php whereareyou.pro/phRUoB0EEKe0c7hebuFTmeWb/VQa0OExKRPgO/FHS7JFjfW9Vl.html whereareyou.pro/phRUoB0EEKe0c7hebuFTmeWb/tvUNJV6Uhzvn/ZNPIoaQXLkkU.html whereareyou.pro/phRUoB0EEKe0c7hebuFTmeWb/6godVZHnf7eO/7Fpp4MHUZXcE.html whereareyou.pro/phRUoB0EEKe0c7hebuFTmeWb/6godVZHnf7eO/xtc8UCTRj7u5.html whereareyou.pro/phRUoB0EEKe0c7hebuFTmeWb/6godVZHnf7eO/9kYZ81evk6u5.html whereareyou.pro/phRUoB0EEKe0c7hebuFTmeWb/VQa0OExKRPgO/xMxzOxKKP4j3.swf whereareyou.pro/phRUoB0EEKe0c7hebuFTmeWb/tvUNJV6Uhzvn/RFz1s9kbszgb.xap whereareyou.pro/phRUoB0EEKe0c7hebuFTmeWb/5buZoKiY2Bxl.php

Flash exploit:

c843959ebeb6f72481849cb0f905ae30694b0dc2dbb0d125f32fb9060c15bc04

Silverlight exploit:

9eb1e6bfed606da3ee6b2529915134ecf58ac983316549c9c038a757d07e0aed

Payload:

7b08251eb81e11e6f7d43b5287afa43bed6737766753128c70049b7126763dc6

ABOUT THE AUTHOR

Jérôme Segura

Principal Threat Researcher