Monthly Archives: May 2013

Topic Exploit Kit

This is a community name for a long standing exploit kit that i see from time to time.

Example Chain: > GATE > PLUGINDETECT > JAR > PDF > EXE

Have seen the following tags for different exploits:


@Set_Abominae noticed a recent example chain exploiting CVE-2013-2423 and posted on pastebin >

Flimkit Exploit Kit

**Thanks to @node5 and @EKwatcher**

This is known to EmergingThreats as ‘FlimKit’.

This originated from a ‘8gcf744Waxolp752.php’ traffic redirector and’s ‘popunder’ advertising service. (Iframe) (Paste of CVE-2013-2423 Contents) (MALJAR 2423) (404) (404) (404) POST (application/octet-stream)

Thats an interesting way to get a rogueav/locker payload.

HTTP Method = POST
Content-type = application/octet-stream
Regex HTTP URI for \/[a-f0-9]{16}$
Content Length > 800k (Optional)

Flimkit Gates:


This is a list of all the IPs i could find hosting Flimkit >

The *.pl domains are all being “tasted“.


Slight change in RedKit URI

As noticed by @Set_Abominae and @kafeine, redkit has made a slight modification to it’s URI.

Looks to now be four characters in the html, jar and jnlp. EXE remains 2 digits.

Redkit JNLP

HTTP Method = GET
HTTP URI ends with *.jnlp
Regex HTTP URI ^http:\/\/[a-z0-9A-Z-.]+\/[a-z0-9A-Z]{4}\.jnlp$

RedKit JAR

HTTP Method = GET
HTTP URI ends with *.jar
Content-type = application/java-archive
Regex HTTP URI ^http:\/\/[a-z0-9A-Z-.]+\/[a-z0-9A-Z]{4}\.jar$

*Is this change related to the Sophos article? Hmm… :)*

BEK Utilizing JNLP files

Looks like Multiple variants of BEK have integrated the use of JNLP files as well.

@secobscurity has a very nice writeup of how JNLP bypasses the security warning that was introduced with JRE 7u11.

Paste of jnlp landing.,07116a753d (text/html) (application/java-archive)


HTTP Method = GET
HTTP URI contains *.php?jnlp=*
User-Agent = JNLP*
Regex HTTP URI for \.php\?jnlp=[a-f0-9]{10}(,[a-f0-9]{10})?$

See more examples of BEK JNLP files on