Styx/Kein Exploit Kit drive-by encounter at www[.]

WARNING: I don’t recommend interacting with any of the domains in this post.
Please use caution if you wish investigate further.

The server at www[.] appears to have been compromised.
If a user browses to this site from a search engine, the tabcontent.js file will include an encoded Javascript redirect that eventually leads to a fake AV scan where the user is prompted to download an executable to remove the infections. For safe measure, the page loads a Java exploit in the background to deliver the same payload without user consent.

The chain of events:
tabcontent.js pulls Javascript from forogozoropoto[.]
where a Javascript redirect leads to mulivefy[.]

Followed by two 302 redirects to www3[.] and then www1[.]

Binary load (scandsk.exe) comes from www2[.]

Checkin -> report[.]
using forged User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.590; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

Followed by requests to:
using forged User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101114 Firefox/4.0b8pre

Watching for the “pma_visited_theme2” cookie may help identify an encounter with the initial redirect.
The presence of the forged user agents may be seen after a successful compromise.



The organization hosting www[.] has been contacted.