- Injected iframe* loads landing page located at dbgpvlxy.sytes[.]net:12601 /sql/gentoo.php?deals=82
(copy of landing page for your review: [pastebin])
- Landing page loads malicious jar file from: dbgpvlxy.sytes[.]net:12601 /sql/teQMpowa.jar
(In this case only the .jar file was delivered. Requests for the .jnlp file failed).
- Encoded payload after successful exploit(note different subdomain): ngoydafv.sytes[.]net:12601 /version.php?back=300&meta=4&asia=664&courses=171&site=751&left=119&icons=7&title=131&radio=519&specials=2102441894
At the time of this encounter both of the above domains were at IP 188.8.131.52.
Passive DNS show a number of suspect domains registered with this IP: http://www.bfk.de/bfk_dnslogger.html?query=184.108.40.206#result
POST traffic to base.mustangnation[.]org /guardingfg/forum.php with fake User-Agent of Mozilla/4.0 with Content-Type: application/octet-stream and Vary: User-Agent observed after the successful binary download.
Also observed GET requests for /pl/bor.mod and /pl/pon.mod from base.dynastyspirits[.]com
These appear to be PKzipped files but I haven’t yet had the opportunity to further examine them and VirusTotal reports zero detections (see below).
Both base.mustangnation[.]org and base.dynastyspirits[.]com were at IP 220.127.116.11 when this encounter occurred.
*This appears to be related to the iframe campaign recently reported by Sucuri.