zeboms[.]tk/show_content.php?fgpimk=lrsuk&id=4642B3AD8EB1331F63B111F171C670700DA304E3EFF16822032449944AB075E487805D
one.theleadersummit[.]com/boards/viewtopic.php?t=0i3&f=o5aew38bpq8ca58engnpikp4ucvwuef5z9ej1ctm014keykgo-q773pf_ahi58p76yvzpoffylkdqe_-8k4eih0j03n2t-i1y
Unfortunately for our analyst we don’t always get packets so we can’t easily locate the referer in every case. Typically the GET request for the compromised site is in the traffic surrounding the event. As you can see from the HTTP requests surrounding the events the user was searching for plastic surgeons in Scottsdale Arizona:
scottsdaleps[.]com/
azplasticsurgerycenter[.]com/
yellowpages[.]com/scottsdale-az/plastic-surgeons
desertplasticsurgery[.]com/
innovativecosmeticsurgery[.]com/
admireplasticsurgery[.]com/
marcmalekmd[.]com/
rejuvent[.]com/
markmeyersmd[.]com/
After going through each page I found the compromised site to be:
scottsdaleps[.]com/
Here is the injected script:
Here is the HTTP traffic:
TCP stream showing call for the Flash file (redirector):
This is used to redirect visitors to the Angler EK.
According to VirusTotal the .swf file has a current detection ratio of 5/54.
Gate showing JavaScript (window.self.location.replace) loads EK landing page:
HTTP request for the Angler EK landing page:
While this led to the Angler EK I haven’t yet had any success in getting my test environment infected. I will be switching my version of Flash Player for more runs at the EITest gate in the near future.
Malware breakdown 