SofosFO Exploit Kit Changes

This is an update to the previous post here. It does now include the CVE-2013-0422 Jre7u10 0day.

JS

HTTP Request Method = GET
Domain = *.org
Regex = ^http:\/\/[a-z-.]{16,}\.org\/[a-zA-Z0-9]{24,}\/Qm[a-zA-Z0-9]+\/[a-z]+\.js$

JAR

HTTP Request Method = GET
Domain = *.org
Content-Type = application/java-archive
Regex = ^http:\/\/[a-z-.]{16,}\.org\/[a-zA-Z0-9]{24,}\/[0-9]{9,10}\/[a-z]+\.jar$

PDF

HTTP Request Method = GET
Domain = *.org
Content-Type = application/pdf
Regex = ^http:\/\/[a-z-.]{16,}\.org\/[a-zA-Z0-9]{24,}\/[0-9]{9,10}\/[a-z]+\.pdf$

EXE (Encoded)

HTTP Request Method = GET
Domain = *.org
Content-Type = application/octet-stream
Regex = ^http:\/\/[a-z-.]{16,}\.org\/[a-zA-Z0-9]{24,}\/[0-9]{9,10}\/[0-9]{7,10}$

If not done already, Snort users could probably do something interesting with this. “application/octet-stream” without a proper MZ header.

Examples:

hxxp://legroom.fixedxxnunprofitablerx .org/w230hFGGpYmYWDmhwGKhDxFGWIGY/QmWmlmDEwPmQmlml/packets.js
hxxp://legroom.fixedxxnunprofitablerx .org/0hxtxhFGGpYhGWDmhwGKhDxFGYFIY/243024699/implemented.jar
hxxp://legroom.fixedxxnunprofitablerx .org/0hxtxhFGGpYhGWDmhwGKhDxFGYFIY/333205651/produce.pdf
hxxp://legroom.fixedxxnunprofitablerx .org/0hxtxhFGGpYhGWDmhwGKhDxFGYFIY/243024699/92637253

hxxp://privilege-kindly.tpmyanointedpkga .org/ykdhFAIDYKwYDmhmGIhCQFNAmhG/QmWmlmDEwPmQmlml/misrepresentations.js
hxxp://privilege-kindly.tpmyanointedpkga .org/lxqq9mwdhFAIDYDQYDmhmGIhCQFNAmQp/276082143/firefight.jar
hxxp://privilege-kindly.tpmyanointedpkga .org/lxnq9mwdhFAIDYDQYDmhmGIhCQFNAmQp/354999135/centralized.pdf
hxxp://privilege-kindly.tpmyanointedpkga .org/lxnq9mwdhFAIDYDQYDmhmGIhCQFNAmQp/354999135/53627863

hxxp://ycqqabsentee.pointingmlpitifulcco .org/1a3bbgflhFAwIIWpQpwGmAGwhgFgApmy/QmWmlmxwPmEmlml/specifies.js
hxxp://ycqqabsentee.pointingmlpitifulcco .org/z9zu1cyhFAwIIWyQpwGmAGwhgFgApDD/384335740/english.pdf
hxxp://ycqqabsentee.pointingmlpitifulcco .org/5ye727dmhFAwIIWyQpwGmAGwhgFgApDD/344272683/570646680

hxxp://ecological.crossroadsxqc .org/bshFAIGAYYYDmhmGIhGQFpfwAK/QmxmlmQlwlmQmEml/misrepresentations.js
hxxp://ecological.crossroadsxqc .org/53d3gahFAIGAYNYDmhmGIhGQFpfwIg/356959135/centralized.pdf
hxxp://ecological.crossroadsxqc .org/9xhFAIGAYNYDmhmGIhGQFpfwIg/394501877/2983062

Comments are closed.