Search Results for: RedKit

Slight change in RedKit URI

As noticed by @Set_Abominae and @kafeine, redkit has made a slight modification to it’s URI.

Looks to now be four characters in the html, jar and jnlp. EXE remains 2 digits.

Redkit JNLP

HTTP Method = GET
HTTP URI ends with *.jnlp
Regex HTTP URI ^http:\/\/[a-z0-9A-Z-.]+\/[a-z0-9A-Z]{4}\.jnlp$

RedKit JAR

HTTP Method = GET
HTTP URI ends with *.jar
Content-type = application/java-archive
Regex HTTP URI ^http:\/\/[a-z0-9A-Z-.]+\/[a-z0-9A-Z]{4}\.jar$

*Is this change related to the Sophos article? Hmm… :)*

Current Event Redirectors to Redkit

Have been seeing these a lot recently in conjunction with recent events…

HTTP Method = GET
HTTP URI ends with */news.html OR */boston.html OR */texas.html
Regex HTTP Request for ^http:\/\/(\d\d?\d?\.){3}\d\d?\d?\/(news|texas|boston)\.html$

See examples of this on UrlQuery.net

Slight changes in RedKit URI

Finally seeing some changes/customization in Redkit payloads, a departure from the static files.

vivianmastrangelo.com/atnf.htm
vivianmastrangelo.com/pqo.jar
vivianmastrangelo.com/11.html > encoded (application/octet-stream)

chelscore.com/wtpp.html
chelscore.com/jce.jar
chelscore.com/55.html > encoded (application/octet-stream)

JAR

HTTP Method = GET
Content-Type = application/java-archive
Regex HTTP URI for \/[a-z0-9]{3}\.jar$

Confirmed by @node5 and @xanda on twitter

EXE

HTTP Method = GET
Content-Type = application/octet-stream
HTTP Destination = *.html
User-Agent = *Java/1.*

Regex HTTP URI for \/[0-9]{2}\.html$ <-- Optional

Redkit Random Gates

Here’s some more recent strings to locate redkit gates.

Regex HTTP URI for “\/(hfrn|azhd|eesb|hfqf|mapn|wmhd|mzyp|oegu|efgv|acsu|acej|hmod|aoei|aoef|asyq|asju|awtg|zmyg|awtg|
wesn|hawf|actu|ozzi|hcwf|wehf|aces|mhes|mhos|efxq|acgu|eotp|cctg|hmpu|aiyh|pztp|mayp|ezzi|ewci|aced|hzws|eitr|
mzai|aesr|asjs|ezzf|gsjj|zhsu)\.html?”

Can regex with \/[a-z]{4}\.html?$

There will be false positives, use a 4-letter-word dictionary as a csv to weed out common words.

See examples of Random Redkit Gates on UrlQuery.net

Some Redkit Gates also have a parameter on the end of the gate url which makes it easier to weed out fp’s.

eg.

http://forum.ymsite.com/mzcs.html?j=1317756
http://alphafenceflorida.com/heiu.htm?h=756208
http://treatmentregistry.org/ccms.html?i=1127744

Can regex with \/[a-z]{4}\.html?\?[a-z]=[0-9]+$

See examples of Redkit Gate w/ Param on UrlQuery.net

Redkit Exploit Kit

Redkit like to download payload as an executable named like a html file.

HTTP Request Method = GET
HTTP URI = *.html or *.htm
Content Type = application/octet-stream

RedKit Gate

Regex URI for “\/h(m|f)[a-z]{2}\.html?$” — This is now out of date. They seem to have turned to random.

Examples:

/aced.htm
/acgu.htm
/efxq.htm
/hcwf.htm

Can regex for ^http:\/\/[a-z0-9-.]+?\/[a-z]{4}\.html?$ but very prone to false positives.

JARs and PDFs are still easiest to spot.

/887.jar
/332.jar
/987.pdf
/Runs.class
/Runs/class.class
/Gobon/class.class
/Gobon.class

EXE’s are still easy too.

/33.html (application/octet-stream)
/62.html (application/octet-stream)

Examples:

See Examples of RedKit Gates in UrlQuery.net

See examples of RedKit PDF and JAR files in UrlQuery.net

See examples of RedKit EXE files in UrlQuery.net

REM RedKit Redirector – Not sure if still active

HTTP Request Method = GET
HTTP URI = */rem*.htm OR */rem*.html

Regex

“:81\/rem[0-9]\.html?$”

See examples of REM redirectors on UrlQuery.net

Probable ZBOT Post-Compromise Activity

Found these in a very noisy redkit attack…not totally sure that it’s ZBOT. Corrections welcome…

POST naurg. com/xhobdogfz.db
POST naurg. com/fjgmzzllvqoycbsustahfwbsuytqzhtidcjihpgvtu.rtf
POST naurg. com/issrxrdzlpofezkwhmuhymmorkplnc.7z
POST naurg. com/ixzygseaenf.log
POST ronavo .com/npjvncroe.log
POST ronavo .com/lwtirttzxoevcaztzylqbou.7z
POST ronavo .com/kaaaaaabnqayupqau.rar
POST ronavo .com/bzmqvwtwbrejgqibfkgmjirjcpwoclitfdshtsmftyuhvtwbdsqrkvgpnozym.php3

HTTP Method = POST
Content-Type = “application/x-www-form-urlencoded”
Regex HTTP URI for ^http:\/\/[a-zA-Z0-9-.]+\/[a-z]+\.(db|pif|log|rar|tpl|7z|rtf|tiff|php3|doc|pl|cgi)$

http://kargid. org/c.htm?uvZA8kUIv7AwOZCMqkqhwl7jDZUOEtWFwErdgRUr
http://joshuagsilverman .com/q.htm?tVgNliikvKhhITo2QcV1ooZ6QICtS8
http://homedecorreviews. com/g.htm?Eyl5gRHaELSinXQ9fvb8k3XUOfoOTq
http://heritageclothingcompany .com/w.htm?OomDwn2fWkkW598iEtR5afe
http://solomaquetas. com/l.htm?ZQjpwNPWV1o94aEFkSdd1vYt1ZjKWC4zOr
http://gorgeoregon. com/w.htm?f9QAXSZ4vUh6qvt43YOaauWiEfSqvZKlDjI
http://compstar .us/k.htm?oyQWBuciU6G3qqIu73gpbnxia7m2m8A8baezO51
http://canadabook .ca/y.htm?qELp27uE4QF76X65tsSEitdFC63ymvKqICc16

HTTP Method = GET
Content-Type = “application/octet-stream”
User-Agent = “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
Regex HTTP URI for \/[a-z]\.htm\?

Regex HTTP URI for ^[a-zA-Z0-9:/.?-_]{57,64}$ > they all seem to be 57-64 char right now…