Sneaky Redirect to Exploit Kit

While I was testing a Pinpoint update, I found a sneaky method to redirect unsuspecting users to Neutrino EK. This one was interesting to me so I thought I would document it here.

Here’s the website I visited…looks suspicious already:

2014-01-12_01

There was a reference to an external Javascript file:

2014-01-12_02

The file is obfuscated Javascript which is a red flag:

2014-01-12_03

I found the malicious redirect, or so I thought…

2014-01-12_04

Long story short, this led nowhere. Going back to the main page, there is a call to a Flash file at the bottom.

2014-01-12_05

Reviewing the ActionScript reveals something interesting. It reads in a PNG file called “gray-bg.png”, extracts every other character, then evals it.
2014-01-12_06

The “PNG file is not a graphic file but a renamed text file.

2014-01-12_07

I used Converter to extract one character every two positions and got this:

2014-01-12_08

The URL leads to the Neutrino landing page.

This entry was posted in Exploit Packs, Malscript and tagged , , , . Bookmark the permalink.