Since our last post on Terror EK, we haven't really seen much activity from this exploit kit. However, in recent days it popped back up again with a slightly new format.
One thing that seemed consistent with Terror EK was the use of a plain IP address in its URL structure:
Now we are starting to see it using a domain name (with the .pro TLD).
The campaignsWe are seeing the usual suspects via malvertising from low quality traffic as well as decoy sites. The same obfuscation technique we talked about in our last post can still be found on domains registered by a Brian Krebs admirer, unlikely to be his son though.
The landing page and associated calls to IE, Flash, and Silverlight exploits are still in plain text. The exploits also appear to be the same old Sundown EK ones.
The developer of this exploit kit has been experimenting and making tweaks for a while now. While there are a few malvertising campaigns leading to Terror EK, the lion share still belongs to RIG EK.
whereareyou.pro/phRUoB0EEKe0c7hebuFTmeWb/LtTZ9w1Mje7E.php whereareyou.pro/phRUoB0EEKe0c7hebuFTmeWb/VQa0OExKRPgO/FHS7JFjfW9Vl.html whereareyou.pro/phRUoB0EEKe0c7hebuFTmeWb/tvUNJV6Uhzvn/ZNPIoaQXLkkU.html whereareyou.pro/phRUoB0EEKe0c7hebuFTmeWb/6godVZHnf7eO/7Fpp4MHUZXcE.html whereareyou.pro/phRUoB0EEKe0c7hebuFTmeWb/6godVZHnf7eO/xtc8UCTRj7u5.html whereareyou.pro/phRUoB0EEKe0c7hebuFTmeWb/6godVZHnf7eO/9kYZ81evk6u5.html whereareyou.pro/phRUoB0EEKe0c7hebuFTmeWb/VQa0OExKRPgO/xMxzOxKKP4j3.swf whereareyou.pro/phRUoB0EEKe0c7hebuFTmeWb/tvUNJV6Uhzvn/RFz1s9kbszgb.xap whereareyou.pro/phRUoB0EEKe0c7hebuFTmeWb/5buZoKiY2Bxl.phpFlash exploit: