Terror EK going 'pro'? Not quite yet

Terror EK going ‘pro’? Not quite yet

Since our last post on Terror EK, we haven’t really seen much activity from this exploit kit. However, in recent days it popped back up again with a slightly new format.

One thing that seemed consistent with Terror EK was the use of a plain IP address in its URL structure:

Now we are starting to see it using a domain name (with the .pro TLD).

The campaigns

We are seeing the usual suspects via malvertising from low quality traffic as well as decoy sites. The same obfuscation technique we talked about in our last post can still be found on domains registered by a Brian Krebs admirer, unlikely to be his son though.

Traffic overview

EK artifacts

Initial landing

Flash calls

Silverlight calls

IE exploits

The landing page and associated calls to IE, Flash, and Silverlight exploits are still in plain text. The exploits also appear to be the same old Sundown EK ones.

The developer of this exploit kit has been experimenting and making tweaks for a while now. While there are a few malvertising campaigns leading to Terror EK, the lion share still belongs to RIG EK.


Domain name:


IP address:


whereareyou.pro/phRUoB0EEKe0c7hebuFTmeWb/LtTZ9w1Mje7E.php whereareyou.pro/phRUoB0EEKe0c7hebuFTmeWb/VQa0OExKRPgO/FHS7JFjfW9Vl.html whereareyou.pro/phRUoB0EEKe0c7hebuFTmeWb/tvUNJV6Uhzvn/ZNPIoaQXLkkU.html whereareyou.pro/phRUoB0EEKe0c7hebuFTmeWb/6godVZHnf7eO/7Fpp4MHUZXcE.html whereareyou.pro/phRUoB0EEKe0c7hebuFTmeWb/6godVZHnf7eO/xtc8UCTRj7u5.html whereareyou.pro/phRUoB0EEKe0c7hebuFTmeWb/6godVZHnf7eO/9kYZ81evk6u5.html whereareyou.pro/phRUoB0EEKe0c7hebuFTmeWb/VQa0OExKRPgO/xMxzOxKKP4j3.swf whereareyou.pro/phRUoB0EEKe0c7hebuFTmeWb/tvUNJV6Uhzvn/RFz1s9kbszgb.xap whereareyou.pro/phRUoB0EEKe0c7hebuFTmeWb/5buZoKiY2Bxl.php

Flash exploit:


Silverlight exploit:





Jérôme Segura

Principal Threat Researcher