Disclaimer : I won't study this one in details. The global logic should not be far from The Styxy Cool or Styx itself. Once again just a "connecting some dots" post.

Since many months what i was mentally naming "Weird Styx" that was really similar to Kein/Styx Kein puzzled me.

2013-01-22 - "a Weird Styx"

This was as Styxy as an exploit kit can be...but not as randomized as Styx was.
Exploits were rotating really slowly as in Kein.

I would not be surprised if the coder of the exploits/scheme of Styx, Styxy Cool, Kein and Null Hole is the same.


Null Hole - Login Page
Null Hole - 1 API Call (Used for instance by TDS to get the actual landing)

Null Hole - Raw Stats on one Thread


Null Hole - Partner management
Null Hole. A bunch of Sploits.



Null Hole - Manage Clone (vhosts/proxies)
You remember the Signed Cryptowall  that got some attention a month ago ?

It was pushed in Both Nuclear Pack and Null Hole.

This is the Null Hole thread :

Null Hole 2014-09-29


The number of Victims of that thread  : 770.

{"objects":[{"blocked":9963,"loads":770,"raw":47506,"stream_id":"9","unique":20584,"withdrawn":0}]}

This Exploit Kit seems to be blinking. Used few weeks...disappear a month or two.

Here is a fresh pass (Thanks to : @robemtnez )
Null Hole - 2014-11-17
Here: Firing CVE-2014-0515 - 2014-0569 (Thx TimoHirvonen)
CVE-2013-2551

2014/11/17 20:18:09;camping.ycw94.com;80;198.50.27.162

Files :
You'll find a Pcap from Brad here.

2

View comments

Loading