BEK Utilizing JNLP files

Looks like Multiple variants of BEK have integrated the use of JNLP files as well.

@secobscurity has a very nice writeup of how JNLP bypasses the security warning that was introduced with JRE 7u11.

Paste of jnlp landing.

d.wholink.pw/raise/words-printers.php?jnlp=b3bd7b747e,07116a753d (text/html)
d.wholink.pw/raise/words-printers.php?rtg=cnavm&qznsq=ttczm (application/java-archive)

BEK JNLP File

HTTP Method = GET
HTTP URI contains *.php?jnlp=*
User-Agent = JNLP*
Regex HTTP URI for \.php\?jnlp=[a-f0-9]{10}(,[a-f0-9]{10})?$

See more examples of BEK JNLP files on UrlQuery.net

Comments are closed.