Monthly Archives: October 2014

EK Redirect – Silverlight rewrite

Noticed some interesting traffic following the below:

hxxp://sunduk.biz/forum/docs/login.php
hxxp://qobac.cobor.in/g76df4d/rtp.xap?0.4495108588209197
hxxp://qobac.cobor.in/g76df4d/rtu.swf?0.4495108588209197
hxxp://qobac.cobor.in/g76df4d/rtu.php?0.4495108588209197

hxxp://qobac.cobor.in/pofrj4l/2 > Fiesta Gate

When observing the landing there is no rtu.php file present > http://pastebin.com/n6dYSHY4

The xap (silverlight) file is downloaded, when you pop it into a tool like ILspy, it’s quite clear what is happening.

dumb

The rtu.php file simply redirects to fiesta…

¯\_(ツ)_/¯