Dotcachef Exploit Kit

— Update 6/27 —

The users of this exploit kit have dropped the \/\.cache\/ and replaced it with \/[a-f0-9]{10}\/

They have also changed f=site.jar and f=atom.jar to f=s and f=s

Lots of examples of the changes are on UrlQuery.net

Props to EKwatcher for noticing this…

Example Chain:

http://www.environmentalleader.com/2013/06/10/cintas-eco-apparel-diverts-17-million-plastic-bottles-from-landfill/app.jnlp > Compromised via Malvertising
http://www.googlecodehosting.net/openx/js/zone_functions.js?cp=166 > REDIR
http://www.megabit.nl/gallery/docs/g1package/images/.cache/?f=site.jar&k=8791629774058014&h=bcf52e8e32f17f53 > JAR
http://www.megabit.nl/gallery/docs/g1package/images/.cache/?f=sm_main.mp3&k=8791629774058025&h=bcf52e8e32f17f53 (application/octet-stream) > Unencoded EXE – ZA

Looking for “/.cache/?f=” in the URI gives pretty solid results.

See examples of Unknown Exploit Kit on UrlQuery.net

More examples and info can be found on Basemont.com

Comments are closed.