Dotkachef Exploit Kit Comeback
Websense® Security Labs™ researchers, using our Websense ThreatSeeker® Intelligence Cloud, discovered an interesting new malvertizing campaign that uses legitimate ad systems. The infection starts with a compromised advertisement URL hosted on a legitimate website and ultimately lures victims to the Dotkachef exploit kit.
Dotkachef is a new underdog exploit kit that first emerged in early 2013. Unlike the Magnitude and Neutrino exploit kits, which emerged in the same time period, Dotkachef did not get the attention or the coverage these other exploit kits got when they first surfaced. Dotkachef has come back with a very sneaky yet very effective scheme. It infects known advertising systems such as OpenX. The use of advertising systems has proven to be an extremely effective method of spreading malware through trusted legitimate ad chains. Websense Security Labs has encountered and covered similar attacks before with different types of exploit kits:
In this blog, we will analyze this new malicious campaign. The infection begins with:
1-A legitimate compromised site hosting a malicious advertisement URL
2-The infected URL is usually hosted on legitimate sites
3-The compromised advertisement URL contains obfuscated malicious code that lures victims eventually to the exploit kit page.
4-Deobfuscation of the code leads to a known Dotkachef redirector URL, such as hxxp://brins.biz.
5- This URL then redirects victims once more to another obfuscated URL hosted on a compromised site.
6-The deobfuscation results will finally lead victims to the exploit kit.
In conclusion, the Dotkachef exploit kit has found a new method to come back and compete with well-known exploit kits through the use of advertising systems and has managed to stay hidden and hard to spot by security vendors. Websense security solutions help guard against these kinds of exploit kits.