Styx/Kein Exploit Kit drive-by encounter at www[.]astrostyle.com

WARNING: I don’t recommend interacting with any of the domains in this post.
Please use caution if you wish investigate further.

The server at www[.]astrostyle.com appears to have been compromised.
If a user browses to this site from a search engine, the tabcontent.js file will include an encoded Javascript redirect that eventually leads to a fake AV scan where the user is prompted to download an executable to remove the infections. For safe measure, the page loads a Java exploit in the background to deliver the same payload without user consent.

The chain of events:
tabcontent.js pulls Javascript from forogozoropoto[.]freetcp.com/143
where a Javascript window.top.location.replace redirect leads to mulivefy[.]ddns.info/info.php?n=143

Followed by two 302 redirects to www3[.]yh1wrlj9w1uxd8.4pu.com and then www1[.]cwvsnwnq1fu-4.4pu.com

Binary load (scandsk.exe) comes from www2[.]dfhfyuiythfgyhtdfrrt.avli.biz

Checkin -> report[.]o793i7q31793iqg3.com
using forged User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.590; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

Followed by requests to:
update1[.]9aiyzi81t8c3.com
update[.]rtcjwrya.com
using forged User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101114 Firefox/4.0b8pre

Watching for the “pma_visited_theme2” cookie may help identify an encounter with the initial redirect.
The presence of the forged user agents may be seen after a successful compromise.

VirusTotal:
UjajifmLf.jar: https://www.virustotal.com/en/file/2dc26d941c01eca4234342c0f71151f58066636211eda414c56f5812c2d47746/analysis/

scandsk.exe: https://www.virustotal.com/en/file/22f292cfd031d578251581472688364f007c50bf5cac210cf0d25e2bb512d978/analysis/

The organization hosting www[.]astrostyle.com has been contacted.

astrostyle-styx-chain