Sneaky Redirect to Exploit Kit

While I was testing a Pinpoint update, I found a sneaky method to redirect unsuspecting users to Neutrino EK. This one was interesting to me so I thought I would document it here.

Here's the website I visited...looks suspicious already:

There was a reference to an external Javascript file:

The file is obfuscated Javascript which is a red flag:

I found the malicious redirect, or so I thought...

Long story short, this led nowhere. Going back to the main page, there is a call to a Flash file at the bottom.

Reviewing the ActionScript reveals something interesting. It reads in a PNG file called "gray-bg.png", extracts every other character, then evals it.

The "PNG file is not a graphic file but a renamed text file.

I used Converter to extract one character every two positions and got this:

The URL leads to the Neutrino landing page.

Posted on: 01/12/2014