Black Dragon BEK2 Variant

This BEK2 variant seems to use some static gate strings, each of which directs to a different payload.

/black_dragon.php
/98y7y432ufh49gj23sldkkqowpsskfnv.php
/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php
/209tuj2dsljdglsgjwrigslgkjskga.php
/984y3fh8u3hfu3jcihei.php

It appears to use the /closest/ tag, but has used /only/ in the past. Everything else is standard BEK2 so it’s likely picked up by existing rules and sigs.

Example:

/closest/209tuj2dsljdglsgjwrigslgkjskga.php > GATE/PluginDetect
/closest/209tuj2dsljdglsgjwrigslgkjskga.php?jazk=1l:33:1j:33:2j&esbr=35&htqgq=30:33:1m:1n:1h:33:30:1o:30:1h&leynl=1n:1d:1g:1d:1h:1d:1f > PDF
/closest/209tuj2dsljdglsgjwrigslgkjskga.php?opliqayu=rbehzty&lntgr=dyvs > JAR
/closest/209tuj2dsljdglsgjwrigslgkjskga.php?lbxpw=1l:33:1j:33:2w&ftq=30:33:1n:1m:1h:33:30:1o:30:2h&jcglbzm=1i&ykwdj=jhx&jgmzjsm=ijbnvlc > EXE from PDF
/closest/209tuj2dsljdglsgjwrigslgkjskga.php?lf=1l:33:1j:33:2w&le=10:33:1n:1m:1h:33:30:1o:20:1h&c=1f&kv=s&vd=t > EXE from JAR

See examples of Black Dragon BEK2 on UrlQuery.net

Comments are closed.