As noticed by @Set_Abominae and @kafeine, redkit has made a slight modification to it’s URI.

View image on Twitter

 

 Follow

Kafeine @kafeine

Redkit : small change in URI pattern : [a-z0-9]{4} for jnlp and jar too ( cc @MalwareSigs )

4:58 PM - 10 May 2013

•  
   
•  
   44 Retweets 
•  
   11 like

 

 

Looks to now be four characters in the html, jar and jnlp. EXE remains 2 digits.

Redkit JNLP

HTTP Method = GET
HTTP URI ends with *.jnlp
Regex HTTP URI ^http:\/\/[a-z0-9A-Z-.]+\/[a-z0-9A-Z]{4}\.jnlp$

RedKit JAR

HTTP Method = GET
HTTP URI ends with *.jar
Content-type = application/java-archive
Regex HTTP URI ^http:\/\/[a-z0-9A-Z-.]+\/[a-z0-9A-Z]{4}\.jar$

*Is this change related to the Sophos article? Hmm… :)*

Have been seeing these a lot recently in conjunction with recent events…

HTTP Method = GET
HTTP URI ends with */news.html OR */boston.html OR */texas.html
Regex HTTP Request for ^http:\/\/(\d\d?\d?\.){3}\d\d?\d?\/(news|texas|boston)\.html$

See examples of this on UrlQuery.net

Finally seeing some changes/customization in Redkit payloads, a departure from the static files.

vivianmastrangelo.com/atnf.htm
vivianmastrangelo.com/pqo.jar
vivianmastrangelo.com/11.html > encoded (application/octet-stream)

chelscore.com/wtpp.html
chelscore.com/jce.jar
chelscore.com/55.html > encoded (application/octet-stream)

JAR

HTTP Method = GET
Content-Type = application/java-archive
Regex HTTP URI for \/[a-z0-9]{3}\.jar$

Confirmed by @node5 and @xanda on twitter

EXE

HTTP Method = GET
Content-Type = application/octet-stream
HTTP Destination = *.html
User-Agent = *Java/1.*

Regex HTTP URI for \/[0-9]{2}\.html$ <-- Optional

Here’s some more recent strings to locate redkit gates.

Regex HTTP URI for “\/(hfrn|azhd|eesb|hfqf|mapn|wmhd|mzyp|oegu|efgv|acsu|acej|hmod|aoei|aoef|asyq|asju|awtg|zmyg|awtg|
wesn|hawf|actu|ozzi|hcwf|wehf|aces|mhes|mhos|efxq|acgu|eotp|cctg|hmpu|aiyh|pztp|mayp|ezzi|ewci|aced|hzws|eitr|
mzai|aesr|asjs|ezzf|gsjj|zhsu)\.html?”

Can regex with \/[a-z]{4}\.html?$

There will be false positives, use a 4-letter-word dictionary as a csv to weed out common words.

See examples of Random Redkit Gates on UrlQuery.net

Some Redkit Gates also have a parameter on the end of the gate url which makes it easier to weed out fp’s.

eg.

http://forum.ymsite.com/mzcs.html?j=1317756
http://alphafenceflorida.com/heiu.htm?h=756208
http://treatmentregistry.org/ccms.html?i=1127744

Can regex with \/[a-z]{4}\.html?\?[a-z]=[0-9]+$

See examples of Redkit Gate w/ Param on UrlQuery.net

Redkit like to download payload as an executable named like a html file.

HTTP Request Method = GET
HTTP URI = *.html or *.htm
Content Type = application/octet-stream

RedKit Gate

Regex URI for “\/h(m|f)[a-z]{2}\.html?$” — This is now out of date. They seem to have turned to random.

Examples:

/aced.htm
/acgu.htm
/efxq.htm
/hcwf.htm

Can regex for ^http:\/\/[a-z0-9-.]+?\/[a-z]{4}\.html?$ but very prone to false positives.

JARs and PDFs are still easiest to spot.

/887.jar
/332.jar
/987.pdf
/Runs.class
/Runs/class.class
/Gobon/class.class
/Gobon.class

EXE’s are still easy too.

/33.html (application/octet-stream)
/62.html (application/octet-stream)

Examples:

See Examples of RedKit Gates in UrlQuery.net

See examples of RedKit PDF and JAR files in UrlQuery.net

See examples of RedKit EXE files in UrlQuery.net

REM RedKit Redirector – Not sure if still active

HTTP Request Method = GET
HTTP URI = */rem*.htm OR */rem*.html

Regex

“:81\/rem[0-9]\.html?$”

See examples of REM redirectors on UrlQuery.net