The party continues: Fiesta Kit at metalsucks[.]net

metalsucks

 

In this case the malicious injection is hiding at metalsucks[.]net/listmessenger/api/key.api.php.
When decoded, the script creates a hidden iframe for the exploit kit landing page at rauskyt[.]sytes.net/cervymzxwlxxqaqdf/42e31cc0f289de4799eb08e3e2ea90f2/

metalsucks-key-api-php-injection-decoded

Adobe Flash and Reader exploits:
bdhQUtuI.swf: rauskyt[.]sytes.net/781h9jb/?7a7e24674b95efc74416515e060f00000550015e0656060c0253050050520102;112202;233
NnZAH20X.pdf: rauskyt[.]sytes.net/781h9jb/?6aa85a40674bbf235a080303015a0207045057030103040b0353535d57070305
(No Java interaction in this case)

Payloads:
flashplayer11_7r67216_413_win.exe: rauskyt[.]sytes.net/781h9jb/?5c265948cbbbb462501b570d0102020f0752040d015b040300510053575f030d;1;3
flashplayer11_7r67216_423_win.exe: rauskyt[.]sytes.net/781h9jb/?6137b608cbbbb4625349560c560d060f0400050c56540003030301520050070d;2;3

Again we see the use of j.maxmind.com/app/geoip.js for geoip location (with no user agent or accept headers) followed by malformed DNS queries to 194.165.17.4.

metalsucks-dns

And again, fake AV Internet Security 2013 scans the machine, this time finding “22 useless and unwanted files.”
Don’t be fooled. These criminals only want to sell you worthless software.

metalsucks-fakeav

VirusTotal:
bdhQUtuI.swf: https://www.virustotal.com/en/file/7a295f1e9f76d0ee36d5824afe1751503cdffd6df90111e8a0a2cbf7de022083/analysis/
NnZAH20X.pdf: https://www.virustotal.com/en/file/dfc96a57234088d6b07c9cab4b9e2a7f3e14f34bf28df02b588ef67c6b9c4195/analysis/1378799591/
flashplayer11_7r67216_413_win.exe: https://www.virustotal.com/en/file/41d117f533dfa101ed0ce3c8eb4fc12f9ec6c5bd84ff45d60adbf8795699f805/analysis/1378799649/
flashplayer11_7r67216_423_win.exe: https://www.virustotal.com/en/file/bd320fa6c60c405e3f899043c1c48c4adab2589a3069044d86de9664c633cb70/analysis/1378799725/