Flimkit Exploit Kit

**Thanks to @node5 and @EKwatcher**

This is known to EmergingThreats as ‘FlimKit’.

This originated from a ‘8gcf744Waxolp752.php’ traffic redirector and flagads.net’s ‘popunder’ advertising service.

onbackups.biz/ (Iframe)
rugocsv.pl/ameron (Paste of CVE-2013-2423 Contents)
rugocsv.pl/a59a312c49082.zip (MALJAR 2423)
rugocsv.pl/9f8705012b5f0.zip (404)
rugocsv.pl/eqquutgc/lfwumjmg.class (404)
rugocsv.pl/eqquutgc/lfwumjmg/class.class (404)
rugocsv.pl/cba6a7ca3e3f789a POST (application/octet-stream)

Thats an interesting way to get a rogueav/locker payload.

HTTP Method = POST
Content-type = application/octet-stream
Regex HTTP URI for \/[a-f0-9]{16}$
Content Length > 800k (Optional)

Flimkit Gates:

*/veenuews
*/shupolak
*/ameron
*/shoerton
*/juicokahe
*/erolikos
*/rukaleta
*/fpcelokas

This is a list of all the IPs i could find hosting Flimkit > http://pastebin.com/xpTvn4L1

The *.pl domains are all being “tasted“.

Reference:

http://doc.emergingthreats.net/bin/view/Main/2016869
http://doc.emergingthreats.net/bin/view/Main/2016840
http://doc.emergingthreats.net/bin/view/Main/2016839

Comments are closed.