Sneaky Redirect to Exploit Kit

While I was testing a Pinpoint update, I found a sneaky method to redirect unsuspecting users to Neutrino EK. This one was interesting to me so I thought I would document it here.

Here’s the website I visited…looks suspicious already:


There was a reference to an external Javascript file:


The file is obfuscated Javascript which is a red flag:


I found the malicious redirect, or so I thought…


Long story short, this led nowhere. Going back to the main page, there is a call to a Flash file at the bottom.


Reviewing the ActionScript reveals something interesting. It reads in a PNG file called “gray-bg.png”, extracts every other character, then evals it.

The “PNG file is not a graphic file but a renamed text file.


I used Converter to extract one character every two positions and got this:


The URL leads to the Neutrino landing page.

This entry was posted in Exploit Packs, Malscript and tagged , , , . Bookmark the permalink.