Speedtest.net serving malvertising to g01pack Exploit Kit

You can see paste of main page here. Malicious code begins at line 166.

Cleaned up JS code is here.

This also highlights some changes in the g01pack exploit chain, will post more about it after researching more.

Exploit Chain:

http://www.speedtest.net

http://lewhenfold.is-a-designer.com/finance/

http://lewhenfold.is-a-designer.com/finance/sw4qr.gif (application/java-archive)
http://lewhenfold.is-a-designer.com/finance/rlwra.gif (application/java-archive)

http://lewhenfold.is-a-designer.com/finance/qyjkj.php

http://lewhenfold.is-a-designer.com/finance/2qsyk.php?lint=39705&template=%2F&site=33676207&login=50& (Encoded EXE > 0x7e) > application/octet-stream

Comments are closed.